Repository Integrations - Overriding SCA Scanner Configurations
Introduction
The Repository Integration runs the Unified Agent under the covers to gather all open source dependency information for an SCA scan. This process uses a default configuration, that although works for a majority of projects, Mend cannot guarantee that it will provide accurate results for every project. Due to this, it is necessary on occasion to change the default Unified Agent Configuration.
How to Configure
The Repository Integrations have two different ways of specifying overriding configurations for the Unified Agent. This is specified with the "configMode"
parameter in the "scanSettings"
section of the .whitesource
file. The two valid values for this setting is "LOCAL"
and "EXTERNAL"
.
Local Override
To add the overriding configuration directly to the repository you are scanning, you can use the LOCAL
value. This allows you to add a whitesource.config
file to the root of the repository where you can add extra configurations.
For example:
{
"scanSettings": {
"configMode": "LOCAL"
}
}
External Override
To add the overriding configuration to an external source the the integration can pull from, you can use the EXTERNAL
value along with a URL to the value. This allows you to add a file with overriding configuration to a publicly accessible endpoint that the integration can pull to get its extra configurations.
For Example:
{
"scanSettings": {
"configMode": "EXTERNAL",
"configExternalUrl": "https://mysite.com/myconfiguration.config"
}
}
Known limitation: Currently, it is only possible to specify a source for these configurations that do not require credentials by the integration. This means that a publicly available source is required for this option to work. These configurations can be hosted directly on the containers if you are using a Self-Managed Repo Integration.
Hosting configurations directly on the integration containers
To host the whitesource.config
file directly on a self-managed container, you can map the file directly into the container at a directory of your choosing, and then reference the file with the configExternalUrl
option like:
{
"scanSettings": {
"configMode": "EXTERNAL",
"configExternalUrl": "file://<path_to_configuration_file>"
}
}
The value must be the full path of the configuration file including the first /
. So if the whitesource.config
file is at the root of the container then the value would be: file:///whitesource.config
.
Useful Configurations
Here are a few examples of when overriding the Unified Agent configurations is important.
Not all packages for a maven project can be resolved, but you would still like information on other open source dependencies.
In this instance, the configuration parameter that should be used is:CODEmaven.allowPartialTree=true
This allows the maven resolver to not completely error out if a package is missing. And will continue to resolve other packages.
Another possible instance, is if development dependencies should not be resolved in a NPM Project. By default, the configuration includes them.
For this example, the configuration parameter should be:CODEnpm.includeDevDependencies=false