To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (an extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at

If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

Automatic static analysis using PVS-Stu…

Automatic static analysis using PVS-Studio when building RPM packages

Dec 02 2020

There was a task to automate static analysis packages included in the distribution. The best tool for this is PVS-Studio, as it can catch compiler calls using strace, thus not requiring any changes in the build scripts. First, controled by pvs-studio-analyzer the build was started, and the log was collected. Then the log was analyzed resulting in the report. Let's look at how to set this up without making edits to each package.

The article was first posted in Russian at The article is now posted in our blog and translated with the author's permission.

As an operating system, we will consider rosa2019. 1 (dnf + rpm4 [RU]). I'm using rootfs builds and systemd-nspawn (snr). First let's set up the necessary packages:

dnf install git-core bash abf basesystem-build how-to-use-pvs-studio-free

First with the utility how-to-use-pvs-studio-free I have to add PVS-Studio headers to the source code. These sources will be stripped from the binaries and placed in debugsource sub-packages that are published in the repository. Let's install the utility from the repository:

sudo dnf install how-to-use-pvs-studio-free

Now we install PVS-Studio itself:

wget -O pvs-studio-latest.rpm
sudo dnf install pvs-studio-latest.rpm

Here's the main point. As we know, RPM turns the %prep spec section into a shell script /var/tmp/*.sh and runs it, as it does with the %build and %install sections. We will make a wrapper that will run these scripts instead of %_buildshell (/bin/sh).

Next, we create the file /usr/bin/pvs-prep with the following text:

set -eu
sh "$2"
( cd "$1"
how-to-use-pvs-studio-free -c 2 -m .

This script will add the header with the PVS-Studio ad to the source code at the %prep stage.

Now we create the file /usr/bin/pvs-builder with this text:

set -eu
test -f "$script"
[ -n "$2" ]
/usr/bin/pvs-studio-analyzer trace -- /bin/bash -e "$script"
mkdir -p "$HOME/pvs-logs/raw-logs"
pvs-studio-analyzer analyze -o "$HOME/pvs-logs/${name}" 
  -j "$(nproc)" #-C /usr/bin/clang
rm -fr "$HOME/pvs-logs/html-logs/${name}"
mkdir -p "$HOME/pvs-logs/html-logs/${name}"
plog-converter -a GA:1,2 -t fullhtml "$HOME/pvs-logs/${name}" 
  -o "$HOME/pvs-logs/html-logs/${name}"
mv -v "$HOME/pvs-logs/html-logs/${name}/fullhtml"/* 
rm -fr "$HOME/pvs-logs/html-logs/${name}/fullhtml"

This script will run the %build script under the PVS-Studio tracer, and then create a report.

Now we make them executable:

chmod +x /usr/bin/pvs-builder /usr/bin/pvs-prep

Don't use /usr/local/bin, because it is not included in $PATH in RPM.

Now we append the following in the file /etc/rpm/macros:

%__spec_prep_cmd /usr/bin/pvs-prep "%{_sourcedir}"
%__spec_build_cmd /usr/bin/pvs-builder %{name}


And that's it. Each C/C++ project build will create an HTML report in the folder $HOME/pvs-logs/html-logs/package_name.

To avoid issues with mock, we can build a list of packages like this:

cat list_sec_sorted.txt | while read -r line; do pushd $line 
  && dnf builddep --allowerasing -y *.spec 
  && abf rpmbuild ; popd; done

This will help us install build dependencies in the same system but allow deleting unnecessary packages if the installed dependencies of the current package conflict with the dependencies of one of the previous packages.

Popular related articles
How PVS-Studio for Windows got new monitoring mode

Date: Jun 14 2022

Author: Alexey Govorov

In PVS-Studio 7.18, the compiler monitoring utility for Windows got new mechanism that completely eliminates missed compiler launches. In this article, we will remind you how our analyzer copes with …
SAST in Secure SDLC: 3 reasons to integrate it in a DevSecOps pipeline

Date: Apr 19 2022

Author: Sergey Vasiliev

Vulnerabilities produce enormous reputational and financial risks. That's why many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we're go…
What's new in PVS-Studio in 2021?

Date: Dec 31 2021

Author: Maxim Stefanov, Oleg Lisiy, Sergey Vasiliev

2021 is coming to an end, which means it's time to sum up the year! Today we'll tell you about the new features we added to PVS-Studio in the past year. Buckle up and let's go!
VSCode: how to view reports of static analyzers that support SARIF

Date: Aug 09 2021

Author: Nikolay Mironov

People increasingly start optimizing the process of finding code errors using static analyzers. Nowadays, we can choose from a variety of products to view analysis results. This post covers the ways …
PVS-Studio new features for notifying developers about errors found

Date: May 18 2021

Author: Maxim Stefanov

PVS-Studio user support often receives clients' suggestions on product improvement. We are happy to implement many of them. Recently one of the users suggested refining the automatic notification uti…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →