Configuration File

YAML file configuration comes as an alternative to manually setting each CVEScan subcommand options from the cli. Note that option set from the cli will override file configured values

A file path can be passed through the --config option to the CLI. If none is provided, CVEScan will check for the existence of a configuration file config.yml in the current directory. Finally it will try to retrieve it from the platform-specific configuration directory (e.g. on Linux ~/.config/cvescan/config.yml).

Definition

basename: BASENAME # (1)!
inventory_format: INV_FORMAT
annotations: ANNOTATIONS
connectors:
  nvd:
    rate_limit_calls: RATE_LIMIT_CALLS
    rate_limit_period: RATE_LIMIT_PERIOD
    mirror: NVD_PATH
  osv:
    rate_limit_calls: RATE_LIMIT_CALLS
    rate_limit_period: RATE_LIMIT_PERIOD
    advanced_purl_parsing: true | false
  uct:
    mirror: UCT_PATH
  match:
    - nvd
    - osv
    - uct
  fetch:
    - nvd
    - osv
    - uct
scope:
  project: PROJECT
  component: COMPONENT
  transversal: TRANSVERSAL
scan_inventory:
  kept_packages: KEPT_PACKAGES
  profile: default | applicative # (2)!
api_integration:
  endpoint: ENDPOINT
  token: TOKEN
filter_report:
  cache_dir: FILTER_CACHE
  git_dir: GIT_DIR
  upstream_uri: REF
export_report:
  export_format: EXPORT_FORMAT
  vulnerable_only: true | false
serve-ui:
  port: PORT

1. BASENAME is the prefix to be used for all files handled by CVE Scan. When not specified it will be deduced from the inventory filename (without extension). It is used to name the generated reports when no -o option is provided.
2. The optional scan_inventory scan_profile configuration, overrides the connectors match and fetch configuration with the following:
   • default: match: ["nvd"], fetch: ["nvd", "uct"]
   • applicative: match: ["osv"], fetch: ["nvd"]