Closed neumartin closed 1 year ago
@neumartin thank you for submitting this! I agree this would be a useful config.
I'll get it done and check back here when it's released 👍
@neumartin thank you for submitting this! I agree this would be a useful config.
I'll get it done and check back here when it's released +1
Thanks @gabidobo! Meanwhile I tried to put all license categories in low, but does not work, I used this config file:
{
"audit": {
"includeDev": true,
"showVersions": true,
"maxDepth": 10,
"minDisplayedSeverity": "moderate",
"licensePolicy": {
"categories": [
{
"name": "Permissive",
"licenses": ["*"]
}
],
"low": ["cat:Uncategorized", "cat:Weakly Protective", "cat:Network Protective", "cat:Strongly Protective"],
},
"loadDataFrom": "registry",
"outputPath": "/tmp/sandworm",
"skipAll": true,
"failOn": ["*.critical", "*.high"]
}
}
v1.39.0 now supports the --skip-license-issues
toggle!
Regarding the configuration above - the high
, critical
etc. fields in the license policy do not influence other types of license issues, like "invalid SPDX" or "not OSI approved". Those specific license issues have hardcoded severities right now.
This issue is stale because it has been open for 30 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.
Sandworm version 1.38.1
Describe the bug Can't disable license checking, I need only check for vulnerabilities.
To Reproduce Just run the CLI command with the defaults parameters
Expected behavior Something like this:
sandworm --license-policy '{"enable": false}'
System (please complete the following information):
Additional context For my use case, I only need to check for vulnerabilities and need a clean log, without license info. This is my configuration file:
Thanks for any help you can provide!