Provided by: bogosec_2.3-0ubuntu1_amd64 
NAME
bogosec - source-code security quality metric using established static source-code
scanners
SYNOPSIS
bogosec [-l] [--log-dir directory ] [--min-sev 0-10 ] [--nhf] [-p plugin_name [args] ]
[--plugin-dir directory ] [--sev-range-max num ] [--timeout num ] [--temp-log-dir
directory ] [-v 0|1 ] [--xp plugin_name ] [--xv vuln_list ] TARGET
DESCRIPTION
BogoSec attempts to influence developers to produce more secure source-code over time.
Various existing scanners point developers to potentially insecure sections of code.
BogoSec broadens the scope of source-code scans by utilizing multiple independent scanners
and compiling the results into high level calculated metrics. These metrics can help
developers and users alike to comparatively judge the security quality of source-code.
OPTIONS
-l Turn on scanner output logging. Log will be called <scanner_name>.log and created
in current working directory, unless --log-dir is used to specify a different
location.
--log-dir directory
Specify a directory for scanner output logs (only makes sense if -l is also used).
Default is current working directory.
--min-sev minimum_severity_level
Specify a minimum severity level. Any vulnerabilities reported by the scanners
whose score falls below this number will be ignored. The argument must be a number
0-10. Default is 0.
--nhf, --no-header-files
Do not scan header files. Useful if the scanners being used do not support
scanning header files.
-p, --plugin plugin_name [args]
Specify a plugin to use. If no plugins are defined on the command line, all of the
plugins in the plugins_dir will be used. This option can be passed more than once,
to specify a set of scanners to use. Each scanner requires a separate instance of
the --plugin flag (please see examples). Optionally, a set of command line
arguments can be passed to the scanner -- this feature must be used with care.
Keep in mind that the plugin requires a certain formatting of the scanner output
(for example, '-SQ' is always passed to flawfinder, and '-w 3' is always passed to
rats). You can pass additional command line arguments using this option, but be
aware of the effect it might have on the formatting of the scanner output, and the
effect that will have on the plugin's ability to parse it correctly. If you must
change the defaults ('-SQ', '-w 3', etc.) you must edit the plugin directly.
--plugin-dir directory
Specify the directory where the plugins are stored. Default is
/usr/lib/bogosec/plugins.
--sev-range-max number
Specify the maximum severity value to be used in calculating the severity value
range. The default is 10. For example, setting --sev-range-max to 50 would mean
that the severity results would now be on a scale of 0-50 instead of on a scale of
0-10. This can be used to scale the result if more granularity is required. NOTE:
-v 1 will not work if this option is used.
--timeout number
Specify the cpu time limit in seconds. Some scanners might hang, in order to
overcome this problem you may choose to set the timeout to an appropriate period to
kill the scanner process. For example setting --timeout 60, will kill any remaining
scanner processes after 60 seconds, and return control to the main bogosec process.
This option uses the ulimit command, please refer to ulimit manpage for additional
information.
--temp-log-dir directory
Specify a directory where you want the temporary files used by BogoSec to be stored
(scanner output logs, etc.) The default is /tmp/.
-v, --verbosity 0|1
Specify verbosity level (default is 0). If 1, then a graph of the severity points
is shown, which breaks the results down by severity levels. This option does not
work if the --sev-range-max is changed from 10.
--xp, --exclude-plugin plugin_name
Do not run plugin defined by plugin_name.
--xv, --exclude-vuln vuln_list
Exclude the vulnerabilites in the vuln_list from the final bogosec calculation.
vuln_list is a ":" separated list of vulnerability identifiers.
TOOLS
bogosec_wrapper provides a method to run bogosec automatically on a directory containing
multiple targets. Please refer to bogosec_wrapper man page for additional information.
FILES
/etc/bogosec.conf
Global configuration file. The settings here are overwritten by any settings in
user's ~/.bogosecrc file.
~/.bogosecrc
Default user configuration file (overrides the settings in /etc/bogosec.conf).
This file is not created during an installation, you must create it yourself.
/usr/lib/bogosec/plugins/
Default plugins directory. Can be changed with --plugin-dir option. Plugins must
be executable, and must end in .pm as per convention.
/usr/lib/bogosec/documents/
Directory of BogoSec documentation and other germane documents.
SCANNERS
FlawFinder : http://www.dwheeler.com/flawfinder
RATS : http://www.securesoftware.com/resources/tools.html
BUGS
Not all input validated. Not all environmental variables checked. This program expects
to be run by trusted users.
AUTHORS
Developed by Dustin Kirkland, Agoston Petz, and Loulwa Salem at the IBM Linux Technology
Center.
http://sourceforge.net/projects/bogosec/