FossID

The FossID scanner plugin.

Configuration

Example

{
  "FossId": {
    "options": {
      "serverUrl": null,
      "projectName": null,
      "namingScanPattern": null,
      "waitForResult": true,
      "keepFailedScans": false,
      "deltaScans": false,
      "deltaScanLimit": 2147483647,
      "detectLicenseDeclarations": false,
      "detectCopyrightStatements": false,
      "timeout": 60,
      "fetchSnippetMatchedLines": false,
      "snippetsLimit": 500,
      "sensitivity": 10,
      "urlMappings": null,
      "writeToStorage": true
    },
    "secrets": {
      "user": null,
      "apiKey": null
    }
  }
}

Options

serverUrl

The URL where the FossID service is running.

user

The user to authenticate against the server.

apiKey

The API key to access the FossID server.

projectName

The name of the FossID project. If null, the name will be determined from the repository URL.

namingScanPattern

The pattern for scan names when scans are created on the FossID instance. If null, a default pattern is used.

waitForResult

When set to false, ORT does not wait for repositories to be downloaded nor scans to be completed. As a consequence, scan results won't be available in the ORT result.

keepFailedScans

Flag whether failed scans should be kept.

deltaScans

If set, ORT will create delta scans. When only changes in a repository need to be scanned, delta scans reuse the identifications of the latest scan on this repository to reduce the number of findings. If deltaScans is set and no scan exists yet, an initial scan called "origin" scan will be created.

deltaScanLimit

This setting can be used to limit the number of delta scans to keep for a given repository. So if another delta scan is created, older delta scans are deleted until this number is reached. If unspecified, no limit is enforced on the number of delta scans to keep. This property is evaluated only if delta scans are enabled.

detectLicenseDeclarations

Configure to automatically detect license declarations. Uses the auto_identification_detect_copyright setting.

detectCopyrightStatements

Configure to detect copyright statements. Uses the auto_identification_detect_copyright setting.

timeout

Timeout in minutes for communication with FossID.

fetchSnippetMatchedLines

Whether matched lines of snippets are to be fetched.

snippetsLimit

A limit on the amount of snippets to fetch.

sensitivity

The sensitivity of the scan.

urlMappings

A comma-separated list of URL mappings that allow transforming the VCS URLs of repositories before they are passed to the FossID service. This may be necessary if FossID uses a different mechanism to clone a repository, e.g., via SSH instead of HTTP. Their values define the mapping to be applied consisting of two parts separated by the string " -> ":

A regular expression to match the repository URL.
The replacement to be used for this repository URL. It can access the capture groups defined by the regular expression, so that rather flexible transformations can be achieved. In addition, it can contain the variables "#user" and "#password" that are replaced by the credentials known for the target host.

The example

mapExampleRepo = https://my-repo.example.org(?<repoPath>.*) -> ssh://my-mapped-repo.example.org${repoPath}

would change the scheme from "https" to "ssh" and the host name for all repositories hosted on "my-repo.example.org". With

mapAddCredentials = (?<scheme>)://(?<host>)(?<port>:\\d+)?(?<repoPath>.*) -> ${scheme}://#user:#password@${host}${port}${repoPath}

every repository URL would be added credentials. Mappings are applied in the order they are defined.

writeToStorage

Whether to write scan results to the storage.

Configuration​

Example​

Options​

serverUrl​

user​

apiKey​

projectName​

namingScanPattern​

waitForResult​

keepFailedScans​

deltaScans​

deltaScanLimit​

detectLicenseDeclarations​

detectCopyrightStatements​

timeout​

fetchSnippetMatchedLines​

snippetsLimit​

sensitivity​

urlMappings​

writeToStorage​