{ "$schema": "http://json-schema.org/draft-07/schema#", "title": ".fossa.yaml", "description": ".fossa.yaml specification for FOSSA CLI 2.x or greater", "$defs": { "project": { "type": "object", "description": "The project fields allow you to configure settings for the project you are interacting with through the FOSSA API.", "properties": { "locator": { "type": "string", "minLength": 1, "description": "The project Locator defines a unique ID that the FOSSA API will use to reference this project within FOSSA. The project locator can be found in the UI on the project `Settings` page listed as the `Project Locator` underneath the `Project Title` setting." }, "id": { "type": "string", "minLength": 1, "description": "The project ID defines a unique ID that the FOSSA API will use to reference this project within your organization. The project ID is a specific portion of the project locator and can be found in the UI on the project `Settings` page listed as the `Project Locator` underneath the `Project Title` setting.\n\nBy default, it will use git remote origin url as project id if it's git repository. If it does not recognize version control system (vcs), project directory's name will be used." }, "name": { "type": "string", "minLength": 1, "description": "The name field sets the projects visible name in the FOSSA dashboard. By default, this will be set to the project's ID." }, "team": { "type": "string", "minLength": 1, "description": "The name of the team in your FOSSA organization to associate this project with." }, "teams": { "type": "array", "description": "A list of team names in your FOSSA organization to associate this project with.", "items": { "type": "string" } }, "policy": { "type": "string", "minLength": 1, "description": "The name of the policy in your FOSSA organization to associate this project with. Mutually excludes `project.policyId`." }, "policyId": { "type": "integer", "minLength": 1, "description": "The id of the policy in your FOSSA organization to associate this project with. Mutually excludes `project.policy`." }, "link": { "type": "string", "minLength": 1, "description": "An external link that will appear in the FOSSA UI for this specific project." }, "url": { "type": "string", "minLength": 1, "description": "The URL of your project that will appear in FOSSA. This URL is intended to be the URL to the repository of this project." }, "jiraProjectKey": { "type": "string", "minLength": 1, "description": "The Jira Project Key to associate with your project for improved issue triage. Refer to https://docs.fossa.com/docs/atlassian-jira#linking-fossa-projects-to-jira-projects for more information." }, "releaseGroup": { "type": "object", "properties": { "name": { "type": "string", "minLength": 1, "description": "The name of release group." }, "release": { "type": "string", "minLength": 1, "description": "The release associated with the release group" } }, "description": "The `name:` and `release:` of the release group's release to add your project to in the FOSSA dashboard. If you choose to associate a project with a release group, you **must** supply both name and release.", "required": [ "name", "release" ] }, "labels": { "type": "array", "description": "A list of labels that are assigned to the project", "items": { "type": "string" } } } }, "telemetry": { "type": "object", "description": "The telemetry fields are used to configure telemetry data collection and it's destination.", "properties": { "scope": { "type": "string", "oneOf": [ { "const": "full", "description": "Collects and sends ends telemetry data to server." }, { "const": "off", "description": "Does not send telemetry data to server." } ], "description": "project branch is an optional setting used for organizing project revisions in the FOSSA UI. The branch field is intended to function similar to how Git defines a branch." }, "commit": { "type": "string", "minLength": 1, "description": "The commit is used to identify a specific scan for a project (determined by project.id). This is intended to be used identically to how Git treats commit hashes. If not provided, cli will parse current HEAD state from .git directory. If project does not have version control system, unix timestamp will be used." } } }, "revision": { "type": "object", "description": "The revision fields are used to help FOSSA differentiate between one upload for a project and another, just as GitHub uses commit hashes and branch names.", "properties": { "branch": { "type": "string", "minLength": 1, "description": "project branch is an optional setting used for organizing project revisions in the FOSSA UI. The branch field is intended to function similar to how Git defines a branch." }, "commit": { "type": "string", "minLength": 1, "description": "The commit is used to identify a specific scan for a project (determined by project.id). This is intended to be used identically to how Git treats commit hashes. If not provided, cli will parse current HEAD state from .git directory. If project does not have version control system, unix timestamp will be used." } } }, "targetFilter": { "type": "object", "properties": { "type": { "type": "string", "oneOf": [ { "const": "bundler", "description": "For bundler targets (ruby)" }, { "const": "cargo", "description": "For cargo targets (rust)" }, { "const": "carthage", "description": "For carthage targets (ios, objective-c)" }, { "const": "cocoapods", "description": "For cocoapod targets (ios, objective-c, swift)" }, { "const": "composer", "description": "For composer targets (php)" }, { "const": "conda", "description": "For conda targets" }, { "const": "glide", "description": "For glide targets (golang)" }, { "const": "godep", "description": "For godep targets (golang)" }, { "const": "gradle", "description": "For gradle targets (kotlin and java)" }, { "const": "leiningen", "description": "For leiningen targets (clojure)" }, { "const": "maven", "description": "For maven targets (kotlin and java)" }, { "const": "mix", "description": "For mix targets (elixir)" }, { "const": "npm", "description": "For npm targets (javascript)" }, { "const": "nimble", "description": "For nimble targets (nim)" }, { "const": "pub", "description": "For pub targets (dart, flutter)" }, { "const": "rebar3", "description": "For rebar3 targets (erlang)" }, { "const": "rpm", "description": "For rpm targets" }, { "const": "renv", "description": "For renv targets (r)" }, { "const": "scala", "description": "For scala targets" }, { "const": "swift", "description": "For swift targets" }, { "const": "yarn", "description": "For yarn targets (javascript)" }, { "const": "repomanifest", "description": "For repomanifest" }, { "const": "cabal", "description": "For cabal targets (haskell)" }, { "const": "stack", "description": "For stack targets (haskell)" }, { "const": "nuspec", "description": "For nuspec targets (dotnet)" }, { "const": "packagereference", "description": "For package reference targets (dotnet)" }, { "const": "paket", "description": "For paket targets (dotnet)" }, { "const": "projectassetjson", "description": "For project asset json targets (dotnet)" }, { "const": "pipenv", "description": "For pipenv targets (python)" }, { "const": "poetry", "description": "For poetry targets (python)" }, { "const": "setuptools", "description": "For setuptools targets (python)" }, { "const": "perl", "description": "For perl targets (using *META.{json,yml})" }, { "const": "pnpm", "description": "For pnpm targets (javascript)" }, { "const": "pdm", "description": "For pdm targets (python)" }, { "const": "uv", "description": "For uv targets (python)" } ], "description": "Target (package manager)" }, "path": { "type": "string", "description": "Associated path with target type (if any)" } } }, "experimental": { "type": "object", "description": "Experimental preferences with fossa cli.", "properties": { "gradle": { "type": "object", "description": "Gradle preferences for all targets", "properties": { "configurations-only": { "type": "array", "description": "Configurations to only include in analysis (by default excludes any other configurations not listed)", "items": { "type": "string" }, "minItems": 1, "uniqueItems": true } } } } }, "vendoredDependencies": { "type": "object", "description": "the vendoredDependencies fields allow you to configure vendored dependency scans. Vendored dependency scans are described in https://github.com/fossas/fossa-cli/blob/master/docs/features/vendored-dependencies.md", "properties": { "forceRescans": { "type": "boolean", "description": "If true, forces a re-scan of all vendored dependencies on every run. If false or not present, then we do not re-scan vendored dependencies that have been previously scanned. A vendored dependency has been previously scanned if a dependency with the same name and version has already been scanned by your organization. If no version is provided, then any change in the files being scanned will result in a rescan." }, "scanMethod": { "type": "string", "oneOf": [ { "const": "ArchiveUpload", "description": "Vendored dependencies are scanned by the \"Archive Upload\" method, as described in https://github.com/fossas/fossa-cli/blob/master/docs/features/vendored-dependencies.md" }, { "const": "CLILicenseScan", "description": "Vendored dependencies are scanned by the \"CLI-side license scan\" method, as described in https://github.com/fossas/fossa-cli/blob/master/docs/features/vendored-dependencies.md" } ] }, "licenseScanPathFilters": { "type": "object", "description": "licenseScanPathFilters allows you to filter which files are scanned when doing a CLILicenseScan. This setting does not apply if you use the ArchiveUpload method of scanning vendoredDependencies.", "properties": { "only": { "type": "array", "description": "A list of globs that will be used to filter paths. If there are any entries in the `only` list, then only paths that match one or more of the globs in the `only` list will be scanned for licenses.", "items": { "type": "string" } }, "exclude": { "type": "array", "description": "A list of globs that will be used to filter paths. If there are any entries in the `exclude` list, then paths that match any of the `exclude` entries will not be scanned for licenses.", "items": { "type": "string" } } } } } }, "grepDefinition": { "type": "object", "description": "defines a search for a custom license or a keyword.", "required": [ "matchCriteria", "name" ], "properties": { "matchCriteria": { "type": "string", "minLength": 1, "description": "A regular expression used to find a keyword or custom license" }, "name": { "type": "string", "minLength": 1, "description": "The name of the keyword or custom license found by the regular expression defined in matchCriteria" } } }, "releaseGroup": { "type": "object", "description": "The releaseGroup field allows you to configure settings for the release group you are interacting with through the FOSSA API.", "properties": { "title": { "type": "string", "minLength": 1, "description": "The title of the release group which can be seen in the FOSSA dashboard." }, "release": { "type": "string", "minLength": 1, "description": "The release associated with the release group." }, "releaseGroupProjects": { "type": "array", "items": { "type": "object", "properties": { "projectLocator": { "type": "string", "description": "The project locator defines a unique ID that the FOSSA API will use to reference this project within FOSSA. The project locator can be found in the UI on the project `Settings` page listed as the `Project Locator` underneath the `Project Title` setting.\n\nBy default, it will use git remote origin url as project id if it's git repository. If it does not recognize version control system (vcs), project directory's name will be used." }, "projectRevision": { "type": "string", "description": "The revision associated with a project. Project revisions can be found in the UI on the project `Activity` page. Refer to `Revision ID` to retrieve the specific revision you want to use for the project." }, "projectBranch": { "type": "string", "description": "The branch associated with the project." } }, "required": [ "projectLocator", "projectRevision", "projectBranch" ] } }, "licensePolicy": { "type": "string", "minLength": 1, "description": "The name of the license policy associated with the release group." }, "securityPolicy": { "type": "string", "minLength": 1, "description": "The name of the security policy associated with the release group." }, "qualityPolicy": { "type": "string", "minLength": 1, "description": "The name of the quality policy associated with the release group." }, "teams": { "type": "array", "description": "A list of team names that are associated with the release group.", "items": { "type": "string" } } } } }, "type": "object", "properties": { "version": { "type": "integer", "const": 3, "description": "Specifies the version of configuration file. Versions 1 and 2 were used by CLI versions up until CLI 2.0.0 and are no longer supported.\n\nCLI 2.x and greater only supports version 3." }, "server": { "type": "string", "minLength": 1, "description": "Sets the endpoint that the CLI will send requests to. This field should only be modified if your FOSSA account lives on a different server than app.fossa.com.\n\nThis is most commonly needed with on-premise instances of FOSSA." }, "apiKey": { "type": "string", "minLength": 1, "description": "Sets the https://docs.fossa.com/docs/api-reference#api-tokens that is required for accessing the FOSSA API and uploading data (e.g. `fossa analyze`) or retrieving information (e.g. `fossa test`) about a project." }, "project": { "$ref": "#/$defs/project" }, "releaseGroup": { "$ref": "#/$defs/releaseGroup" }, "telemetry": { "$ref": "#/$defs/telemetry" }, "vendoredDependencies": { "$ref": "#/$defs/vendoredDependencies" }, "revision": { "type": "object", "items": { "$ref": "#/$defs/revision" } }, "customLicenseSearch": { "type": "array", "items": { "$ref": "#/$defs/grepDefinition" } }, "experimentalKeywordSearch": { "type": "array", "items": { "$ref": "#/$defs/grepDefinition" } }, "reachability": { "type": "object", "description": "Controls the Reachability computation functionality", "properties": { "jvmOutputs": { "type": "object", "description": "Manually specify the list of JAR files output by each discovered Maven or Gradle project", "additionalProperties": { "type": "array", "items": { "type": "string", "description": "The path to a JAR file output by the project" } } } } }, "ignoreOrgWideCustomLicenseScanConfigs": { "type": "boolean", "default": false, "description": "Ignore custom-license scan configurations for your organization. These configurations are defined in the Integrations section of the Admin settings in the FOSSA web app." }, "targets": { "type": "object", "description": "The targets filtering allows you to specify the exact targets which be should be scanned.", "properties": { "only": { "type": "array", "description": "The list of `only` targets that should be scanned.", "items": { "$ref": "#/$defs/targetFilter" } }, "exclude": { "type": "array", "description": "The list of `exclude` targets which should be excluded from scanning. The targets listed in the exclude section will override the targets listed in the only sections.\n\nThis feature is used most effectively to remove specific targets from a directory.", "items": { "$ref": "#/$defs/targetFilter" } }, "excludeManifestStrategies": { "type": "boolean", "description": "If set to true, all manifest-based strategies for discovering targets will be skipped. This has the effect of only searching dependencies explicitly specified in fossa-deps.yml. This setting will override any target filters or path filters.", "default": false } } }, "paths": { "type": "object", "description": "The paths filtering section allows you to specify which paths should be scanned and which should not. The paths should be listed as their location from the root of your project.", "properties": { "only": { "type": "array", "description": "The list of paths to only allow scanning within.", "items": { "type": "string" } }, "exclude": { "type": "array", "description": "The list of paths to exclude from scanning in your directory.", "items": { "type": "string" } } } }, "maven": { "type": "object", "properties": { "scope-only": { "type": "array", "description": "The list of scopes to only allow scanning in your maven project.", "items": { "type": "string" } }, "scope-exclude": { "type": "array", "description": "The list of scopes to exclude from scanning in your maven project.", "items": { "type": "string" } } }, "oneOf": [ { "required": [ "scope-only" ] }, { "required": [ "scope-exclude" ] } ] } }, "required": [ "version" ] }