From Fedora Project Wiki

Revision as of 15:14, 6 August 2024 by Jamacku (talk | contribs) (Fix typos)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

🔗 OpenScanHub

OpenScanHub is a service that runs various static analyzers on RPM packages. OpenScanHub by default uses Cppcheck, ShellCheck, the static analyzers embedded in GCC and Clang, and the find-unicode-control tool. Other tools for static (and dynamic) analysis can be enabled on demand while submitting an OpenScanHub task.

🔗 How to use it?

This service can be accessed at openscanhub.fedoraproject.org. The easiest way to run an OpenScanHub scan is to submit a scan through create new scan form. You need to login by clicking krb5login link before submitting the scan. See the examples section about how to obtain a kerberos ticket.

Alternatively, you can install the command line client by running: dnf install -y osh-client.

🔗 Examples:

You need a valid kerberos ticket to run these commands. It can be obtained by running kinit <FAS_USERNAME>@FEDORAPROJECT.ORG. Kerberos login would require dns_canonicalize_hostname = false in /etc/krb5.conf. Related documentation can be found at Kerberos#Extra_info_for_Infrastructure_people.


  • mock-build performs a full scan on the package: osh-cli mock-build --config="fedora-39-x86_64" --nvr units-2.22-6.fc39
  • version-diff-build performs a differential scan between two different versions of packages: osh-cli version-diff-build --config=fedora-39-x86_64 --brew-build units-2.22-6.fc39 --base-config=fedora-39-x86_64 --base-brew-build units-2.21-5.fc37
  • diff-build performs a differntial scan with the downstream patches: osh-cli diff-build --config="fedora-39-x86_64" --nvr units-2.22-6.fc39
  • SRPMs built locally can be scanned through: osh-cli mock-build --config="<config name>" <path to SRPM>

🔗 Related Links