Provided by: bogosec_2.3-0ubuntu1_amd64 
NAME
bogosec - source-code security quality metric using established static source-code scanners
SYNOPSIS
bogosec [-l] [--log-dir directory ] [--min-sev 0-10 ] [--nhf] [-p plugin_name [args] ] [--plugin-dir
directory ] [--sev-range-max num ] [--timeout num ] [--temp-log-dir directory ] [-v 0|1 ] [--xp
plugin_name ] [--xv vuln_list ] TARGET
DESCRIPTION
BogoSec attempts to influence developers to produce more secure source-code over time. Various existing
scanners point developers to potentially insecure sections of code. BogoSec broadens the scope of source-
code scans by utilizing multiple independent scanners and compiling the results into high level
calculated metrics. These metrics can help developers and users alike to comparatively judge the
security quality of source-code.
OPTIONS
-l Turn on scanner output logging. Log will be called <scanner_name>.log and created in current
working directory, unless --log-dir is used to specify a different location.
--log-dir directory
Specify a directory for scanner output logs (only makes sense if -l is also used). Default is
current working directory.
--min-sev minimum_severity_level
Specify a minimum severity level. Any vulnerabilities reported by the scanners whose score falls
below this number will be ignored. The argument must be a number 0-10. Default is 0.
--nhf, --no-header-files
Do not scan header files. Useful if the scanners being used do not support scanning header files.
-p, --plugin plugin_name [args]
Specify a plugin to use. If no plugins are defined on the command line, all of the plugins in the
plugins_dir will be used. This option can be passed more than once, to specify a set of scanners
to use. Each scanner requires a separate instance of the --plugin flag (please see examples).
Optionally, a set of command line arguments can be passed to the scanner -- this feature must be
used with care. Keep in mind that the plugin requires a certain formatting of the scanner output
(for example, '-SQ' is always passed to flawfinder, and '-w 3' is always passed to rats). You can
pass additional command line arguments using this option, but be aware of the effect it might have
on the formatting of the scanner output, and the effect that will have on the plugin's ability to
parse it correctly. If you must change the defaults ('-SQ', '-w 3', etc.) you must edit the
plugin directly.
--plugin-dir directory
Specify the directory where the plugins are stored. Default is /usr/lib/bogosec/plugins.
--sev-range-max number
Specify the maximum severity value to be used in calculating the severity value range. The
default is 10. For example, setting --sev-range-max to 50 would mean that the severity results
would now be on a scale of 0-50 instead of on a scale of 0-10. This can be used to scale the
result if more granularity is required. NOTE: -v 1 will not work if this option is used.
--timeout number
Specify the cpu time limit in seconds. Some scanners might hang, in order to overcome this problem
you may choose to set the timeout to an appropriate period to kill the scanner process. For
example setting --timeout 60, will kill any remaining scanner processes after 60 seconds, and
return control to the main bogosec process. This option uses the ulimit command, please refer to
ulimit manpage for additional information.
--temp-log-dir directory
Specify a directory where you want the temporary files used by BogoSec to be stored (scanner
output logs, etc.) The default is /tmp/.
-v, --verbosity 0|1
Specify verbosity level (default is 0). If 1, then a graph of the severity points is shown, which
breaks the results down by severity levels. This option does not work if the --sev-range-max is
changed from 10.
--xp, --exclude-plugin plugin_name
Do not run plugin defined by plugin_name.
--xv, --exclude-vuln vuln_list
Exclude the vulnerabilites in the vuln_list from the final bogosec calculation. vuln_list is a ":"
separated list of vulnerability identifiers.
TOOLS
bogosec_wrapper provides a method to run bogosec automatically on a directory containing multiple
targets. Please refer to bogosec_wrapper man page for additional information.
FILES
/etc/bogosec.conf
Global configuration file. The settings here are overwritten by any settings in user's
~/.bogosecrc file.
~/.bogosecrc
Default user configuration file (overrides the settings in /etc/bogosec.conf). This file is not
created during an installation, you must create it yourself.
/usr/lib/bogosec/plugins/
Default plugins directory. Can be changed with --plugin-dir option. Plugins must be executable,
and must end in .pm as per convention.
/usr/lib/bogosec/documents/
Directory of BogoSec documentation and other germane documents.
SCANNERS
FlawFinder : http://www.dwheeler.com/flawfinder
RATS : http://www.securesoftware.com/resources/tools.html
BUGS
Not all input validated. Not all environmental variables checked. This program expects to be run by
trusted users.
AUTHORS
Developed by Dustin Kirkland, Agoston Petz, and Loulwa Salem at the IBM Linux Technology Center.
http://sourceforge.net/projects/bogosec/
Linux Jan 25 2005 BOGOSEC(1)