Skip to main content
Skip table of contents

Repository Integrations - Overriding SCA Scanner Configurations

Introduction

The Repository Integration runs the Unified Agent under the covers to gather all open source dependency information for an SCA scan. This process uses a default configuration, that although works for a majority of projects, Mend cannot guarantee that it will provide accurate results for every project. Due to this, it is necessary on occasion to change the default Unified Agent Configuration.

How to Configure

The Repository Integrations have two different ways of specifying overriding configurations for the Unified Agent. This is specified with the "configMode" parameter in the "scanSettings" section of the .whitesource file. The two valid values for this setting is "LOCAL" and "EXTERNAL".

Local Override

To add the overriding configuration directly to the repository you are scanning, you can use the LOCAL value. This allows you to add a whitesource.config file to the root of the repository where you can add extra configurations.

For example:

JSON
{
  "scanSettings": {
    "configMode": "LOCAL"
  }
}

External Override

To add the overriding configuration to an external source the the integration can pull from, you can use the EXTERNAL value along with a URL to the value. This allows you to add a file with overriding configuration to a publicly accessible endpoint that the integration can pull to get its extra configurations.

For Example:

JSON
{
  "scanSettings": {
    "configMode": "EXTERNAL",
    "configExternalUrl": "https://mysite.com/myconfiguration.config"
  }
}

Known limitation: Currently, it is only possible to specify a source for these configurations that do not require credentials by the integration. This means that a publicly available source is required for this option to work. These configurations can be hosted directly on the containers if you are using a Self-Managed Repo Integration.

Hosting configurations directly on the integration containers

To host the whitesource.config file directly on a self-managed container, you can map the file directly into the container at a directory of your choosing, and then reference the file with the configExternalUrl option like:

CODE
{
  "scanSettings": {
    "configMode": "EXTERNAL",
    "configExternalUrl": "file://<path_to_configuration_file>"
  }
}

The value must be the full path of the configuration file including the first /. So if the whitesource.config file is at the root of the container then the value would be: file:///whitesource.config.

Useful Configurations

Here are a few examples of when overriding the Unified Agent configurations is important.

  1. Not all packages for a maven project can be resolved, but you would still like information on other open source dependencies.
    In this instance, the configuration parameter that should be used is:

    CODE
    maven.allowPartialTree=true

    This allows the maven resolver to not completely error out if a package is missing. And will continue to resolve other packages.

  2. Another possible instance, is if development dependencies should not be resolved in a NPM Project. By default, the configuration includes them.
    For this example, the configuration parameter should be:

    CODE
    npm.includeDevDependencies=false
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.