-
Notifications
You must be signed in to change notification settings - Fork 8
/
.ort.yml
88 lines (85 loc) · 3.65 KB
/
.ort.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# Copyright (C) 2023 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
# License-Filename: LICENSE
excludes:
paths:
- pattern: "buildSrc/**"
reason: "BUILD_TOOL_OF"
comment: >-
The buildSrc directory contains build scripts for the Gradle build tool.
- pattern: "**/src/test/**"
reason: "TEST_OF"
comment: >-
Licenses contained in this directory are used for testing and do not apply to the ORT server.
- pattern: "website/**"
reason: "OTHER"
comment: >-
The website directory contains the ORT server's website and is not part of the server itself.
scopes:
- pattern: ".*[tT]est.*"
reason: "TEST_DEPENDENCY_OF"
comment: >-
Packages for testing only.
- pattern: "detekt.*"
reason: "DEV_DEPENDENCY_OF"
comment: >-
Packages for static code analysis only.
- pattern: "devDependencies"
reason: "TEST_DEPENDENCY_OF"
comment: >-
Packages for development only.
- pattern: "kotlin.*"
reason: "BUILD_DEPENDENCY_OF"
comment: >-
Packages for Kotlin compiler only.
- pattern: "metadataCompileClasspath"
reason: "BUILD_DEPENDENCY_OF"
comment: >-
Packages for Kotlin compiler only.
curations:
packages:
- id: "Maven:org.ossreviewtoolkit.utils:spdx-utils:"
curations:
concluded_license: 'Apache-2.0'
comment: |
The SPDX utils contain a list of every known license. Conclude the license as this is an ORT internal
dependency and we can be sure that the license is in fact Apache-2.0.
resolutions:
issues:
- message: "ERROR: Timeout after .+ seconds while scanning file 'rules/matrixseqexpl.json'."
reason: SCANNER_ISSUE
comment: "This file does not contain any license declarations."
vulnerabilities:
- id: "CVE-2022-40150"
reason: "INEFFECTIVE_VULNERABILITY"
comment: |
This vulnerability is reported for the jettison package which is a transitive dependency of the SW360 client used
by the ORT scanner. The component is vulnerable to Denial of Service attacks causing out of memory errors for
specially crafted parser inputs. Since it is used here only to parse responses of valid SW360 servers, this is not
an issue.
- id: "CVE-2022-45685"
reason: "INEFFECTIVE_VULNERABILITY"
comment: |
This vulnerability is reported for the jettison package which is a transitive dependency of the SW360 client used
by the ORT scanner. The component is vulnerable to Denial of Service attacks due to uncontrolled recursion for
specially crafted parser input. Since it is used only to parse responses of valid SW360 servers, this is not an
issue.
- id: "CVE-2022-45693"
reason: "INEFFECTIVE_VULNERABILITY"
comment: |
This vulnerability is reported for the jettison package which is a transitive dependency of the SW360 client used
by the ORT scanner. The component is vulnerable to Denial of Service attacks causing stack overflow for specially
crafted parser input. Since it is used here only to parse responses of valid SW360 servers, this is not an issue.