search

sandworm-hq / sandworm-audit

Security & License Compliance For Your App's Dependencies 🪱
https://sandworm.dev
MIT License
471 stars 5 forks source link

Allow to disable license policies issues #110

Closed neumartin closed 1 year ago

neumartin commented 1 year ago

Sandworm version 1.38.1

Describe the bug Can't disable license checking, I need only check for vulnerabilities.

To Reproduce Just run the CLI command with the defaults parameters

Expected behavior Something like this: sandworm --license-policy '{"enable": false}'

System (please complete the following information):

Additional context For my use case, I only need to check for vulnerabilities and need a clean log, without license info. This is my configuration file:

{
  "audit": {
    "includeDev": true,
    "showVersions": true,
    "maxDepth": 10,
    "minDisplayedSeverity": "moderate",
    "licensePolicy": {
      "categories": [
        {
          "name": "Permissive",
          "licenses": ["*"]
        }
      ],
      "low": ["cat:Uncategorized", "cat:Weakly Protective", "cat:Network Protective", "cat:Strongly Protective"],
    },
    "loadDataFrom": "registry",
    "outputPath": "/tmp/sandworm",
    "skipAll": true,
    "failOn": ["*.critical", "*.high"]
  }
}

Thanks for any help you can provide!

gabidobo commented 1 year ago

@neumartin thank you for submitting this! I agree this would be a useful config.

I'll get it done and check back here when it's released 👍

neumartin commented 1 year ago

@neumartin thank you for submitting this! I agree this would be a useful config.

I'll get it done and check back here when it's released +1

Thanks @gabidobo! Meanwhile I tried to put all license categories in low, but does not work, I used this config file:

{
  "audit": {
    "includeDev": true,
    "showVersions": true,
    "maxDepth": 10,
    "minDisplayedSeverity": "moderate",
    "licensePolicy": {
      "categories": [
        {
          "name": "Permissive",
          "licenses": ["*"]
        }
      ],
      "low": ["cat:Uncategorized", "cat:Weakly Protective", "cat:Network Protective", "cat:Strongly Protective"],
    },
    "loadDataFrom": "registry",
    "outputPath": "/tmp/sandworm",
    "skipAll": true,
    "failOn": ["*.critical", "*.high"]
  }
}
gabidobo commented 1 year ago

v1.39.0 now supports the --skip-license-issues toggle!

Regarding the configuration above - the high, critical etc. fields in the license policy do not influence other types of license issues, like "invalid SPDX" or "not OSI approved". Those specific license issues have hardcoded severities right now.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 1 year ago

This issue was closed because it has been inactive for 14 days since being marked as stale.