bogosec

Langue: en

Autres versions - même langue

Version: Jan 25 2005 (ubuntu - 07/07/09)

Section: 1 (Commandes utilisateur)

NAME

bogosec - source-code security quality metric using established static source-code scanners

SYNOPSIS

bogosec [-l] [--log-dir directory ] [--min-sev 0-10 ] [--nhf] [-p plugin_name [args] ] [--plugin-dir directory ] [--sev-range-max num ] [--timeout num ] [--temp-log-dir directory ] [-v 0|1 ] [--xp plugin_name ] [--xv vuln_list ] TARGET

DESCRIPTION

BogoSec attempts to influence developers to produce more secure source-code over time. Various existing scanners point developers to potentially insecure sections of code. BogoSec broadens the scope of source-code scans by utilizing multiple independent scanners and compiling the results into high level calculated metrics. These metrics can help developers and users alike to comparatively judge the security quality of source-code.

OPTIONS

-l
Turn on scanner output logging. Log will be called <scanner_name>.log and created in current working directory, unless --log-dir is used to specify a different location.
--log-dir directory
Specify a directory for scanner output logs (only makes sense if -l is also used). Default is current working directory.
--min-sev minimum_severity_level
Specify a minimum severity level. Any vulnerabilities reported by the scanners whose score falls below this number will be ignored. The argument must be a number 0-10. Default is 0.
--nhf, --no-header-files
Do not scan header files. Useful if the scanners being used do not support scanning header files.
-p, --plugin plugin_name [args]
Specify a plugin to use. If no plugins are defined on the command line, all of the plugins in the plugins_dir will be used. This option can be passed more than once, to specify a set of scanners to use. Each scanner requires a separate instance of the --plugin flag (please see examples). Optionally, a set of command line arguments can be passed to the scanner -- this feature must be used with care. Keep in mind that the plugin requires a certain formatting of the scanner output (for example, '-SQ' is always passed to flawfinder, and '-w 3' is always passed to rats). You can pass additional command line arguments using this option, but be aware of the effect it might have on the formatting of the scanner output, and the effect that will have on the plugin's ability to parse it correctly. If you must change the defaults ('-SQ', '-w 3', etc.) you must edit the plugin directly.
--plugin-dir directory
Specify the directory where the plugins are stored. Default is /usr/lib/bogosec/plugins.
--sev-range-max number
Specify the maximum severity value to be used in calculating the severity value range. The default is 10. For example, setting --sev-range-max to 50 would mean that the severity results would now be on a scale of 0-50 instead of on a scale of 0-10. This can be used to scale the result if more granularity is required. NOTE: -v 1 will not work if this option is used.
--timeout number
Specify the cpu time limit in seconds. Some scanners might hang, in order to overcome this problem you may choose to set the timeout to an appropriate period to kill the scanner process. For example setting --timeout 60, will kill any remaining scanner processes after 60 seconds, and return control to the main bogosec process. This option uses the ulimit command, please refer to ulimit manpage for additional information.
--temp-log-dir directory
Specify a directory where you want the temporary files used by BogoSec to be stored (scanner output logs, etc.) The default is /tmp/.
-v, --verbosity 0|1
Specify verbosity level (default is 0). If 1, then a graph of the severity points is shown, which breaks the results down by severity levels. This option does not work if the --sev-range-max is changed from 10.
--xp, --exclude-plugin plugin_name
Do not run plugin defined by plugin_name.
--xv, --exclude-vuln vuln_list
Exclude the vulnerabilites in the vuln_list from the final bogosec calculation. vuln_list is a ":" separated list of vulnerability identifiers.

TOOLS

bogosec_wrapper provides a method to run bogosec automatically on a directory containing multiple targets. Please refer to bogosec_wrapper man page for additional information.

FILES

/etc/bogosec.conf
Global configuration file. The settings here are overwritten by any settings in user's ~/.bogosecrc file.
~/.bogosecrc
Default user configuration file (overrides the settings in /etc/bogosec.conf). This file is not created during an installation, you must create it yourself.
/usr/lib/bogosec/plugins/
Default plugins directory. Can be changed with --plugin-dir option. Plugins must be executable, and must end in .pm as per convention.
/usr/lib/bogosec/documents/
Directory of BogoSec documentation and other germane documents.

SCANNERS

FlawFinder : http://www.dwheeler.com/flawfinder
RATS : http://www.securesoftware.com/resources/tools.html

BUGS

Not all input validated. Not all environmental variables checked. This program expects to be run by trusted users.

AUTHORS

Developed by Dustin Kirkland, Agoston Petz, and Loulwa Salem at the IBM Linux Technology Center.
http://sourceforge.net/projects/bogosec/