Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ignoring a package only from license scanning #1124

Closed
shahar-h opened this issue Jul 16, 2024 · 2 comments · Fixed by #1243
Closed

Support ignoring a package only from license scanning #1124

shahar-h opened this issue Jul 16, 2024 · 2 comments · Fixed by #1243
Labels
enhancement New feature or request

Comments

@shahar-h
Copy link

shahar-h commented Jul 16, 2024
edited
Loading

Today [[PackageOverrides]] can be configured to ignore a package entirely from both vulnerability and license scanning using ignore field:

[[PackageOverrides]]
# The package name, version, and ecosystem to match against
name = "lib"
# If version is not set or empty, it will match every version
version = "1.0.0"
ecosystem = "Go"
# Ignore this package entirely, including license scanning
ignore = true

However, there are cases where we only want to ignore a package from license scanning, for example when the package is only used in tests we may still want to detect vulnerabilities but ignore license since this package is not compiled in our application.
@cuixq cuixq added the enhancement New feature or request label Jul 18, 2024
@G-Rath G-Rath mentioned this issue Aug 29, 2024
Merged
@G-Rath
Copy link
Collaborator

G-Rath commented Sep 4, 2024
edited
Loading

You should be able to do this using license.override to override the license to one you consider allowed, e.g.

[[PackageOverrides]]
# The package name, version, and ecosystem to match against
name = "lib"
# If version is not set or empty, it will match every version
version = "1.0.0"
ecosystem = "Go"
# Ignore the license of this package
license.override = ["IGNORED"]

and then call osv-scanner with --experimental-licenses IGNORED.

While a little messier than being to do say license.ignore = true, I don't know if there's enough of an advantage as I'd expect we would still want to at least output that ignoring like we do when a license is overridden so you'd still have the same amount of output..

@another-rex @cuixq what do you think?

@another-rex another-rex mentioned this issue Sep 5, 2024
Closed
@shahar-h
Copy link
Author

shahar-h commented Sep 5, 2024

You should be able to do this using license.override to override the license to one you consider allowed, e.g.

[[PackageOverrides]]
# The package name, version, and ecosystem to match against
name = "lib"
# If version is not set or empty, it will match every version
version = "1.0.0"
ecosystem = "Go"
# Ignore the license of this package
license.override = ["IGNORED"]

and then call osv-scanner with --experimental-licenses IGNORED.

While a little messier than being to do say license.ignore = true, I don't know if there's enough of an advantage as I'd expect we would still want to at least output that ignoring like we do when a license is overridden so you'd still have the same amount of output..

@another-rex @cuixq what do you think?

Currently I do something similar - I override the package license to an allowed one like MIT, but having an explicit license.ignore flag would make it more readable.

@G-Rath G-Rath mentioned this issue Sep 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: allow explicitly ignoring the license of a package in config ackama/osv-scanner
3 participants
@G-Rath @shahar-h @cuixq