exclude license type for a specific package #5839
-
QuestionIs it possible to exclude a license type for a specific package, for example for a Java package? Some package types come with multiple license types, such as LGPL and Apache 2.0. We added the LGPL-2.0 license to the trivi.yml file in the restricted section as prohibited; when scanning the pom file, otrivi detects 2 license types for the package, one of which is prohibited, but Apache 2.0 is in the allowed list. In this case, we could independently add the package and license we need to the exception. I tried to do it using .trivyignore.yaml file but it doesn't work, I tried like this: licenses:
Then I run the scan: ./trivy fs --ignorefile ./.trivyignore.yaml --scanners license --debug pom.xml And I get the result: │ org.passay:passay │ Apache 2 │ │ │ TargetFilesystem ScannerLicense Output FormatTable ModeStandalone Operating SystemLinux Version2023-12-29T17:27:42.271+0400 INFO Loaded trivy.yaml
Version: 0.48.1
Vulnerability DB:
Version: 2
UpdatedAt: 2023-12-27 12:14:52.410046446 +0000 UTC
NextUpdate: 2023-12-27 18:14:52.410046146 +0000 UTC
DownloadedAt: 2023-12-27 12:26:04.062244991 +0000 UTC
Java DB:
Version: 1
UpdatedAt: 2023-12-25 00:47:34.569927115 +0000 UTC
NextUpdate: 2023-12-28 00:47:34.569926974 +0000 UTC
DownloadedAt: 2023-12-25 09:02:40.874137911 +0000 UTC
Policy Bundle:
Digest: sha256:8bfc31f3e4301ef758b6793a07e0b12b4306e0b54d03a640efb2ff5e5ef29b9e
DownloadedAt: 2023-12-21 11:09:56.466210277 +0000 UTC |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi there, so the first thing that I see is that the trivyignore file is for vulnerability and misconfiguration IDs specifically. Meaning, if you want to specify the license that you want to e.g. ignore, you have to do that through the trivy.yaml file which defines the overall way trivy is supposed to run => instead of specifying different flags the trivy.yaml manifest allows you to specify the configuration in a specific file. This makes it easier to reuse the scan configuration and pass in different configurations for different scans. I assume you would like something similar to this? Here is the docs: https://aquasecurity.github.io/trivy/v0.48/docs/references/configuration/config-file/ |
Beta Was this translation helpful? Give feedback.
-
|
Is there a way to do this per package, not per license? |
Beta Was this translation helpful? Give feedback.
-
|
I think #6342 covers what I am looking for. |
Beta Was this translation helpful? Give feedback.
Hi there, so the first thing that I see is that the trivyignore file is for vulnerability and misconfiguration IDs specifically. Meaning, if you want to specify the license that you want to e.g. ignore, you have to do that through the trivy.yaml file which defines the overall way trivy is supposed to run => instead of specifying different flags the trivy.yaml manifest allows you to specify the configuration in a specific file. This makes it easier to reuse the scan configuration and pass in different configurations for different scans.
I assume you would like something similar to this?
Here is the docs: https://aquasecurity.github.io/trivy/v0.48/docs/references/configuration/config-file/
…