Configure OSV-Scanner
To configure scanning, place an osv-scanner.toml file in the scanned file’s directory. To override this osv-scanner.toml file, pass the --config=/path/to/config.toml
flag with the path to the configuration you want to apply instead.
Ignore vulnerabilities by ID
To ignore a vulnerability, enter the ID under the IgnoreVulns
key. Optionally, add an expiry date or reason.
Example
[[IgnoredVulns]]
id = "GO-2022-0968"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No ssh servers are connected to or hosted in Go lang"
[[IgnoredVulns]]
id = "GO-2022-1059"
# ignoreUntil = 2022-11-09 # Optional exception expiry date
reason = "No external http servers are written in Go lang."
Ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability.
Override specific package
To ignore a specific a package, or manually set its license, enter the package name and ecosystem under the PackageOverrides
key.
[[PackageOverrides]]
# The package name, version, and ecosystem to match against
name = "lib"
# If version is not set or empty, it will match every version
version = "1.0.0"
ecosystem = "Go"
# Ignore this package entirely, including license scanning
ignore = true
# Override the license of the package
# This is not used if ignore = true
license.override = ["MIT", "0BSD"]
# effectiveUntil = 2022-11-09 # Optional exception expiry date
reason = "abc"