1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
.TH BLS-STANDALONE 1 "2015-12-31" "bls-standalone" BLS-STANDALONE
.SH NAME
bls\-standalone \- build log scanner, standalone version
.mso www.tmac
.SH SYNOPSIS
.B bls\-standalone \-\-help
.B bls\-standalone
[
\fIglobal options\fP
]
.B check
[
.B \-\-compiledrulesfile
.I rulesfile
]
[
.B \-\-blhc
.I blhc-program
]
.I logfiles
.B bls\-standalone
[
\fIglobal options\fP
]
.B compile
[
\fIcompile-options\fP
]
.B bls\-standalone
[
\fIglobal options\fP
]
.B checkout
.SH DESCRIPTION
bls\-standalone is the command line utility to run the build log scanner on manually specified logfiles,
including support to manage the needed compiled rules definitions.
.SH "GLOBAL OPTIONS"
Global options can be given before the command, available options are:
Options can be specified before the command. Each affects a different
subset of commands and is ignored by other commands.
.TP
.B \-v \-\-verbose
increase verbosity
.TP
.B \-\-libdir \fIdirectory\fP
specify the directory where the scan and compile binaries are looked for
.TP
.B \-\-sharedir \fIdirectory\fP
specify the directory where the copy of the rules files and the packaged precompiled rule data resides.
.SH "COMMANDS"
bls\-standalone has three commands: \fBcheck\fP, \fBcompile\fP and \fBcheckout\fP.
.TP
.B check \fR[\fP \-\-compiledrulesfile \fIrulesfile\fP \fR]\fP \fR[\fP \-\-blhc \fIblhc-program\fP \fR]\fP \fIlogfiles\fP
This command runs the bls scanner and the blhc scanner on the given build log files.
If no compiled rules file is given with \fB\-\-compiledrulesfile\fP then a previously compiled one is looked for and if there is none than the one shipped together with the package is used.
\fBblhc\fP is also called if it is found or specified with the \fB\-\-blhcp\fP option. To silence a warning about it not being found set it to \fBNO\fP.
.TP
.B compile \fR[\fP \-o \fIoutput-file\fP \fR]\fP \fR[\fP \-\-no\-defaults\fR]\fP \fR[\fP \-\-ignorecheckout\fR]\fP \fIadditional rule descriptions\fP
Compiles the checks into a compiled form.
Unless \fB\-o\fP is given to determine a different place, it is stored in a cache directory (determined by some environment variables) where the future \fBcheck\fP invocations will use it
intsead of the packaged precompiled rules.
Additional rule descriptions can be given as command line arguments.
Rules stored in proper places of your home directory are looked at, too.
(To see where they are looked for, use \fB\-\-verbose\fP.)
Unless \fB\-\-no\-defaults\fP is given the contents of a previous \fBcheckout\fP or the copy of the rules shipped with the package are used, too.
If there are rules of the same name, those given as command line arguments override local and original ones and local ones override original ones.
.TP
.B checkout
Check out the current rules used for the non-standalone build scanner into a directory
where the next \fBcompile\fP run will use them instead of the shipped rules.
Currently this checks out parts of the QA svn repository.
This URL might get outdated in the future.
If the bls\-standalone version you use and the non-standlone bls version get out of sync,
those rules might contain things that your bls\-stanalone cannot handle.
.SH "WRITING RULES"
Some far too short guide to writing new description files:
The non-standalone build log scanner is only run for builds deemed successful.
So checks for things that should usually make a build fail makes often not much sense (a test-suite generating false positives is often more likely than catching an error ignored inproperly).
The filename is the tag produced for the test. Finding a good name is often the hardest part about writing new checks.
Most of the description file is actually the html code describing what the finding usually means to be displayed on
.URL http://qa.debian.org/bls/
with the exception of the lines starting with ## at the top of the file.
The description should contain the following information:
.SS "What did the check found?"
Make it easy for people to find what was matched. Makes it easier to find the issue, less likely to disregard it as false-positive if it is not, and less time wasting if it actually is a false positive.
.SS "Why is what is found a problem?"
Even the most serious flaws can easily be disregarded as minor issues due to ignorance.
And some things are only dangerous in some sitations and don't require the highest priority in other situations.
Distingushing both cases is hard and some more words in the description about it can help a lot.
.SS "What can be done against it?"
Some hints how to avoid the problem both help the one due to fix it some time looking for a solution.
This is especially useful to help people fixing it properly instead of only hiding the problem more thoroughly.
The actual ## directives at the start of the file are:
.SS Merge:
This line tells that this check triggers if other checks appear at the same line.
There are currently only two forms supported:
\fB##Merge: same \fP\fItagname1\fP\fB \fP\fItagname2\fP
and
\fB##Merge: same \fP\fItagname1\fP\fB \fP\fItagname2a\fP\fB or \fP\fItagname2b\fP
.SS Match:
This is a regular expression describing what to match each line of the build log against to find the issue, prefixed with \fBregexp:\fP.
As an extension to the regular syntax there is a atom \\/ which specifies that once a line matches up to this part, no check that does not have a \\/ at this place is supposed to match this line.
(This is an optimisation to heavily trim down the compile state machine, but it also can be used to avoid false-positives).
As all regular expressions of all checks are compiled into a single finite state machine,
checks that are very specific at the start of the line are quite cheap while checks not specific at the start are often quite expensive.
The size of the state machine output by the \fBcompile\fP command is a good measurement how expensive the specific check is.
.SS Since:
If there are new rules then the information at
.URL http://qa.debian.org/bls/
might be outdated until all logs are rescanned with the new version.
For each log scanned by the non-standalone build log scanner the version number of the used rules is remembered.
The number specified with the \fBSince\fP field tells the web report generated where to place warnings that information about this check might be outdated.
.SS Extract:
This tells how to extract information from the matched file to be showed together with the matched line (like a filename something was found in).
There are currently following forms supported here:
\fB##Extract: simple 0 \fP\fIendcount\fP\fB '\fP\fIendchar\fP\fB'\fP
\fB##Extract: simple 0 '\fP\fIreset\fP\fB' \fP\fIendcount\fP\fB '\fP\fIendchar\fP\fB'\fP
\fB##Extract: simple \fP\fIstartcount\fP\fB '\fP\fIstartchar\fP\fB' \fP\fIendcount\fP\fB '\fP\fIendchar\fP\fB'\fP
\fB##Extract: simple \fP\fIstartcount\fP\fB '\fP\fIstartchar\fP\fB' '\fP\fIreset\fP\fB' \fP\fIendcount\fP\fB '\fP\fIendchar\fP\fB'\fP
Where \fIstartchar\fP is a character to look for for the start of the extracted area (after the \fIstartcount\fPth occurrence).
\fIresetchar\fP is a character to abort extraction.
\fIendchar\fP is a character to look for for the end of the extracted area (after the \fIendcount\fPth occurrence).
For example:
\fB##Extract: simple 2 '|' '/' 1 '|'\fP
means to extract the content between the 2nd and 3rd pipe symbol, unless there is a slash in between.
.SS Action:
describes what to do if a switch is matched.
This can be used to set variables referenced in other rules to generate context-sensitive rules.
.SS Condition:
add conditions (on variables set by \fB##Action\fP).
If the condition is not met, the generating of a finding is supressed.
.SH CEVEATS
While compiling all matches into a single finite state machine produces very fast results, it is only feasible while the state machine does not grow too much.
So care has to be taken to not use too expensive searches.
Some checks (especially context specific ones) are quite unreliable.
The non-standalone build log checks do not include some findings for the summary unless they appear on multiple architectures, which bls-standalone obviously cannot do.
bls is optimized to be fast.
Do not run it with rules files you do not trust.
(Only the content of log files scanned is supposed to be untrusted data).
blhc is quite slow which is luckily not that noticeable if not scanning the logfiles of the whole archive. If you test new rules on a larger set of logfiles, using \fB\-\-blhc=NO\fP can speed things up quite a bit.
blhc does not report line numbers so bls\-standalone cannot report them for those findings.
Note that checking the logs of a dpkg-buildpackage -b run and a dpkg-buildpackage -B run can make a difference
(so if you cannot reproduce a E-binary-arch-produces-all make sure you check the correct type of log).
.SH "REPORTING BUGS"
Report bugs or wishlist requests to the Debian BTS
.br
(e.g. by using \fBreportbug bls\-standalone\fP under Debian)
.br
or directly to
.MTO brlink@debian.org
.SH COPYRIGHT
Copyright \(co 2013,2014,2015
.URL http://www.brlink.eu "Bernhard R. Link"
.br
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.SH "SEE ALSO"
blhc(1)
|
