From 62fedd4ce93aecd621633d107a4c23f18efa5a44 Mon Sep 17 00:00:00 2001 From: Rex P <106129829+another-rex@users.noreply.github.com> Date: Thu, 20 Jun 2024 15:58:03 +1000 Subject: [PATCH] Add documentation for the configuration. (#1051) Add documentation for the newly added config package override feature #814 --- docs/configuration.md | 22 ++++++++++++++++++++-- docs/license-scanning.md | 6 ++++++ 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index 8f8c1fdee3..921bb2a95d 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -9,8 +9,6 @@ nav_order: 5 To configure scanning, place an osv-scanner.toml file in the scanned file's directory. To override this osv-scanner.toml file, pass the `--config=/path/to/config.toml` flag with the path to the configuration you want to apply instead. -Currently, there is only 1 option to configure: - ## Ignore vulnerabilities by ID To ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, add an expiry date or reason. @@ -30,3 +28,23 @@ reason = "No external http servers are written in Go lang." ``` Ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability. + +## Override specific package + +To ignore a specific a package, or manually set its license, enter the package name and ecosystem under the `PackageOverrides` key. + +```toml +[[PackageOverrides]] +# The package name, version, and ecosystem to match against +name = "lib" +# If version is not set or empty, it will match every version +version = "1.0.0" +ecosystem = "Go" +# Ignore this package entirely, including license scanning +ignore = true +# Override the license of the package +# This is not used if ignore = true +license.override = ["MIT", "0BSD"] +# effectiveUntil = 2022-11-09 # Optional exception expiry date +reason = "abc" +``` diff --git a/docs/license-scanning.md b/docs/license-scanning.md index 71012ca7af..9709b590b3 100644 --- a/docs/license-scanning.md +++ b/docs/license-scanning.md @@ -58,3 +58,9 @@ Your command would be in this form: ```bash osv-scanner --experimental-licenses="BSD-3-Clause,Apache-2.0,MIT" path/to/directory ``` + +## Override License + +Sometimes, the license either cannot be retrieved, or does not apply to your specific use. In those cases, you can override the license of a specific package by setting it in the config file. + +See the [configuration docs](./configuration.md) for how to do this.