From Fedora Project Wiki

Revision as of 15:14, 6 August 2024 by Jamacku (talk | contribs) (Fix typos)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OpenScanHub

OpenScanHub is a service that runs various static analyzers on RPM packages. OpenScanHub by default uses Cppcheck, ShellCheck, the static analyzers embedded in GCC and Clang, and the find-unicode-control tool. Other tools for static (and dynamic) analysis can be enabled on demand while submitting an OpenScanHub task.

How to use it?

This service can be accessed at openscanhub.fedoraproject.org. The easiest way to run an OpenScanHub scan is to submit a scan through create new scan form. You need to login by clicking krb5login link before submitting the scan. See the examples section about how to obtain a kerberos ticket.

Alternatively, you can install the command line client by running: dnf install -y osh-client.

Examples:

You need a valid kerberos ticket to run these commands. It can be obtained by running kinit <FAS_USERNAME>@FEDORAPROJECT.ORG. Kerberos login would require dns_canonicalize_hostname = false in /etc/krb5.conf. Related documentation can be found at Kerberos#Extra_info_for_Infrastructure_people.


  • mock-build performs a full scan on the package: osh-cli mock-build --config="fedora-39-x86_64" --nvr units-2.22-6.fc39
  • version-diff-build performs a differential scan between two different versions of packages: osh-cli version-diff-build --config=fedora-39-x86_64 --brew-build units-2.22-6.fc39 --base-config=fedora-39-x86_64 --base-brew-build units-2.21-5.fc37
  • diff-build performs a differntial scan with the downstream patches: osh-cli diff-build --config="fedora-39-x86_64" --nvr units-2.22-6.fc39
  • SRPMs built locally can be scanned through: osh-cli mock-build --config="<config name>" <path to SRPM>

Related Links

Retrieved from "https://fedoraproject.org/w/index.php?title=OpenScanHub&oldid=716654"