OpenScanHub
OpenScanHub is a service that runs various static analyzers on RPM packages. OpenScanHub by default uses Cppcheck
, ShellCheck
, the static analyzers embedded in GCC
and Clang
, and the find-unicode-control
tool. Other tools for static (and dynamic) analysis can be enabled on demand while submitting an OpenScanHub task.
How to use it?
This service can be accessed at openscanhub.fedoraproject.org. The easiest way to run an OpenScanHub scan is to submit a scan through create new scan form. You need to login by clicking krb5login
link before submitting the scan. See the examples section about how to obtain a kerberos ticket.
Alternatively, you can install the command line client by running: dnf install -y osh-client
.
Examples:
You need a valid kerberos ticket to run these commands. It can be obtained by running kinit <FAS_USERNAME>@FEDORAPROJECT.ORG
. Kerberos login would require dns_canonicalize_hostname = false
in /etc/krb5.conf
. Related documentation can be found at Kerberos#Extra_info_for_Infrastructure_people.
mock-build
performs a full scan on the package:osh-cli mock-build --config="fedora-39-x86_64" --nvr units-2.22-6.fc39
version-diff-build
performs a differential scan between two different versions of packages:osh-cli version-diff-build --config=fedora-39-x86_64 --brew-build units-2.22-6.fc39 --base-config=fedora-39-x86_64 --base-brew-build units-2.21-5.fc37
diff-build
performs a differntial scan with the downstream patches:osh-cli diff-build --config="fedora-39-x86_64" --nvr units-2.22-6.fc39
- SRPMs built locally can be scanned through:
osh-cli mock-build --config="<config name>" <path to SRPM>
- A more verbose log of the compiler output can be seen through executing
csgrep
command on the raw output. For example,curl -s 'https://openscanhub.fedoraproject.org/task/16/log/added.js?format=raw' | csgrep
.csgrep
command can be installed through:dnf install -y csdiff
.
Related Links
- GitHub - https://github.com/openscanhub/openscanhub
- Developer documentation - https://github.com/openscanhub/openscanhub/blob/main/docs/development.md
- Homepage - https://openscanhub.dev/
- Mailing list - https://lists.fedoraproject.org/archives/list/openscanhub@lists.fedoraproject.org/