Provided by: bogosec_2.3-0ubuntu1_amd64 bug

NAME

       bogosec  -  source-code  security  quality  metric  using  established  static source-code
       scanners

SYNOPSIS

       bogosec [-l] [--log-dir directory ] [--min-sev 0-10 ] [--nhf]  [-p  plugin_name  [args]  ]
       [--plugin-dir  directory  ]  [--sev-range-max  num  ]  [--timeout  num  ]  [--temp-log-dir
       directory ] [-v 0|1 ] [--xp plugin_name ] [--xv vuln_list ] TARGET

DESCRIPTION

       BogoSec attempts to influence developers to produce more  secure  source-code  over  time.
       Various  existing  scanners  point  developers  to  potentially insecure sections of code.
       BogoSec broadens the scope of source-code scans by utilizing multiple independent scanners
       and  compiling  the  results  into  high level calculated metrics.  These metrics can help
       developers and users alike to comparatively judge the security quality of source-code.

OPTIONS

       -l     Turn on scanner output logging. Log will be called <scanner_name>.log  and  created
              in  current  working  directory,  unless  --log-dir  is used to specify a different
              location.

       --log-dir directory
              Specify a directory for scanner output logs (only makes sense if -l is also  used).
              Default is current working directory.

       --min-sev minimum_severity_level
              Specify  a  minimum  severity  level.  Any vulnerabilities reported by the scanners
              whose score falls below this number will be ignored.  The argument must be a number
              0-10.  Default is 0.

       --nhf, --no-header-files
              Do  not  scan  header  files.   Useful  if  the  scanners being used do not support
              scanning header files.

       -p, --plugin plugin_name [args]
              Specify a plugin to use. If no plugins are defined on the command line, all of  the
              plugins  in the plugins_dir will be used. This option can be passed more than once,
              to specify a set of scanners to use. Each scanner requires a separate  instance  of
              the  --plugin  flag  (please  see  examples).  Optionally,  a  set  of command line
              arguments can be passed to the scanner -- this feature  must  be  used  with  care.
              Keep  in  mind  that the plugin requires a certain formatting of the scanner output
              (for example, '-SQ' is always passed to flawfinder, and '-w 3' is always passed  to
              rats).   You  can  pass additional command line arguments using this option, but be
              aware of the effect it might have on the formatting of the scanner output, and  the
              effect  that  will have on the plugin's ability to parse it correctly.  If you must
              change the defaults ('-SQ', '-w 3', etc.) you must edit the plugin directly.

       --plugin-dir directory
              Specify   the   directory   where   the   plugins   are   stored.     Default    is
              /usr/lib/bogosec/plugins.

       --sev-range-max number
              Specify  the  maximum  severity  value to be used in calculating the severity value
              range.  The default is 10.  For example, setting --sev-range-max to 50  would  mean
              that  the severity results would now be on a scale of 0-50 instead of on a scale of
              0-10.  This can be used to scale the result if more granularity is required.  NOTE:
              -v 1 will not work if this option is used.

       --timeout number
              Specify  the  cpu  time  limit  in  seconds.  Some scanners might hang, in order to
              overcome this problem you may choose to set the timeout to an appropriate period to
              kill the scanner process. For example setting --timeout 60, will kill any remaining
              scanner processes after 60 seconds, and return control to the main bogosec process.
              This  option uses the ulimit command, please refer to ulimit manpage for additional
              information.

       --temp-log-dir directory
              Specify a directory where you want the temporary files used by BogoSec to be stored
              (scanner output logs, etc.)  The default is /tmp/.

       -v, --verbosity 0|1
              Specify  verbosity level (default is 0).  If 1, then a graph of the severity points
              is shown, which breaks the results down by severity levels. This  option  does  not
              work if the --sev-range-max is changed from 10.

       --xp, --exclude-plugin plugin_name
              Do not run plugin defined by plugin_name.

       --xv, --exclude-vuln vuln_list
              Exclude  the  vulnerabilites  in  the vuln_list from the final bogosec calculation.
              vuln_list is a ":" separated list of vulnerability identifiers.

TOOLS

       bogosec_wrapper provides a method to run bogosec automatically on a  directory  containing
       multiple targets. Please refer to bogosec_wrapper man page for additional information.

FILES

       /etc/bogosec.conf
              Global  configuration  file.  The  settings here are overwritten by any settings in
              user's ~/.bogosecrc file.
       ~/.bogosecrc
              Default user configuration file  (overrides  the  settings  in  /etc/bogosec.conf).
              This file is not created during an installation, you must create it yourself.
       /usr/lib/bogosec/plugins/
              Default  plugins directory.  Can be changed with --plugin-dir option.  Plugins must
              be executable, and must end in .pm as per convention.
       /usr/lib/bogosec/documents/
              Directory of BogoSec documentation and other germane documents.

SCANNERS

       FlawFinder : http://www.dwheeler.com/flawfinder

       RATS       : http://www.securesoftware.com/resources/tools.html

BUGS

       Not all input validated.  Not all environmental variables checked.  This  program  expects
       to be run by trusted users.

AUTHORS

       Developed  by  Dustin Kirkland, Agoston Petz, and Loulwa Salem at the IBM Linux Technology
       Center.

       http://sourceforge.net/projects/bogosec/