rats

Once you have built and installed RATS, it's time to start auditing your software! RATS accepts a few command line options that will be described here and accepts a list of files to audit on the command line. If no files to audit are specified, stdin will be used.

usage: rats [-d ] [-h] [-r] [-w ] [-x] [file1 
                                    file2 ... filen]

Options explained:

• -d Specifies a vulnerability database to be loaded. You may have multiple -d options and each database specified will be loaded.
• -h Displays a brief usage summary
• -i Causes a list of function calls that were used which accept external input to be produced at the end of the vulnerability report.
• -l Force the specified language to be used regardless offilename extension. Currently valid language names are"c", "perl", "php" and "python".
• -r Causes references to vulnerable function calls that are not being used as calls themselves to be reported.
• -w Sets the warning level. Valid levels are 1, 2 or 3.

Warning level 1 includes only default and high severity Level 2 includes medium severity. Level 2 is the default warning level 3 includes low severity vulnerabilities.

• -x Causes the default vulnerability databases (which are in the installation data directory, /usr/local/lib by default) to not be loaded.

When started, RATS will scan each file specified on the command line and produce a report when scanning is complete. What vulnerabilities are reported in the final report depend on the data contained in the vulnerability database or databases that are used and the warning level in use.

For each vulnerability, the list of files and line numbers where it occurred is given, followed by a brief description of the vulnerability and suggested action.

RATS