FossID-DA has the functionality to detect a custom settings file and apply the settings found in the file to the current analysis configuration. The file has to be named:
fossid-settings.toml
How it works?
The fossid-settings.toml file can be added in the root of the scan that will be analyzed:
├── scan_test_1
├── aclocal
├── bower.json
├── CHANGES.md
├── CMakeLists.txt
├── CHANGES.md
├── complier
├── composer.json
├── LICENSE.txt
├── fossid-settings.toml
├── package.json
└── package-lock.json
This will be detected and all the settings found in it will update the scan configuration,
What settings can be set in fossid-settings.toml ?
As in the fossid.conf in fossid-settings.toml the following settings can be added:
1. List of dependency types that FDA should take into account when running dependency analysis:
[dependency-analysis]
# ["Maven", "PyPI", "Gem", "Composer", "NPM", etc]
# To process all dependency types use: ["ALL"]
supported_package_managers = ["ALL"]
2. Dependency manager versions settings:
[dependency-analysis.system_settings]
# win32, win64, darwin, debian, unix
da_os_type = "linux"
da_python_version = "3.11.4"
da_npm_version="7.24.2"
da_node_version="14.21.3"
da_ruby_version = "3.2.2"
da_gem_version = "3.0.3"
da_maven_version = "3.9.2"
da_scala_version = "2.11"
da_cocoapod_version="1.15.2"
da_swift_version="5.10"
da_dotnet_framework=".NETFramework4.5"
da_dotnet_standard=".NETStandard1.3"
3. Download settings (used with deep scan mode):
[dependency-analysis.download_options]
da_download_path = "/tmp/fossid-da"
4. Scan settings:
[dependency-analysis.scan_options]
da_ignore_lock_manifests = 0
da_single_dependency_versions = 1
da_only_unmanaged = 0
da_allow_dynamic_scopes = 1
da_allow_archive_scanning = 1
da_deep_scan = 0
da_accept_pre_releases = 0
da_allow_node_modules_processing = 0
da_ignore_hidden_files = 1
da_allow_user_agent = 1
da_use_yarn = 0
5. Import scan settings:
[dependency-analysis.import_scan_options]
da_cpp_import_search = 1
da_py_import_search = 0
da_go_import_search = 0
6. Git settings:
[dependency-analysis.git_options]
da_git_user = ""
da_git_token = ""
8. Dependency scope settings:
Note: When lockfiles are present and detected, FossID-DA does not filter dependencies by scope. Scope-based filtering only applies when lockfiles are absent.
[dependency-analysis.dependency_scopes]
# Process test scopes. Different project types.
da_ds_test_dependencies=0
# Process development scopes. Different project types.
da_ds_dev_dependencies=0
# Process peer dependencies scopes. Generally NPM projects.
da_ds_peer_dependencies=0
# Process plugin dependencies scopes. Generally Maven projects.
da_ds_plugin_dependencies=0
# Process extensions dependencies scopes. Generally Maven projects.
da_ds_extensions_dependencies=0
# Process provided dependencies scopes. Generally Maven projects.
da_ds_provided_dependencies=0
# Process runtime dependencies scopes. Generally Maven and Gem projects.
da_ds_runtime_dependencies=1
# Process library dependencies scopes. Generally Maven projects.
da_ds_library_dependencies=0
# Process optional dependencies scopes. Different project types.
da_ds_optional_dependencies=0
# Process dependency_overrides dependencies scopes. Generally Dart/Pub projects.
da_ds_dependency_overrides=0
# Process framework dependencies scopes. Generally C/C++ projects.
da_ds_framework=1
# Process classpath dependencies scopes. Generally Maven projects.
da_ds_classpath_dependencies=0
# Process ext scopes. Generally PHP/Composer projects
da_ds_ext_dependencies=0
# Process indirect/transitive scopes. Generally Go projects
da_ds_indirect_dependencies=0
# Process hatch evns. Generally Hatch projects
# Comma separated evns. Ex: "default,lint"
da_ds_hatch_envs=""
9. Dependency graph settings:
[dependency-analysis.graph_depth]
da_gd_maven = 5
da_gd_pypi = 4
da_gd_gem = 7
da_gd_cargo = 4
da_gd_cocoapod = 4
da_gd_npm = 10
da_gd_general = 4
da_gd_go = 2
10. Ignore settings:
[dependency-analysis.ignore_settings]
da_ignore_folders = ""
11. Proxy settings:
[dependency-analysis.proxy_settings]
# Activate proxy usage
da_use_proxy = 0
# Your proxy hostname or IP
da_proxy_host = ""
# Your proxy port (i.e. 8080)
da_proxy_port = ""
# Your proxy username
da_proxy_user = ""
# Your proxy password (plain text), or
da_proxy_pass = ""
# Your SSL proxy client certificate
da_proxy_cert = ""
# Your private key for SSL and TLS proxy client certificate
da_proxy_key = ""
INFO: More info about dependency filtering can be found in FossID-DA-Filtering-Dependency-Types section.
INFO: More info about config settings can be found in FossID-DA-Config-Options section.
Potential deletion of fossid-settings.toml when added to a completed Workbench scan
When a fossid-settings.toml file is manually added to the directory of a scan that has already been completed in Workbench, it may be automatically deleted after running the dependency analysis (FDA).
This happens because Workbench performs a cleanup process after the analysis to maintain the integrity of the scan data. During this process, Workbench compares the scan directory contents before and after the analysis and removes any files that were not originally part of the scan.
Therefore, any manually added files, including fossid-settings.toml, will be removed automatically.
Note:
- The deletion is not caused by FDA, but by Workbench’s post-analysis cleanup mechanism.
- This behavior is expected and ensures that the scan folder remains consistent with its original state.
- If you need the fossid-settings.toml to persist, place it in the root of the scan folder before starting the scan in Workbench.