# Configuration You can pass one or more TOML configuration files to the `sbom-cve-check` tool using the `--config` flag. If multiple configuration files are provided, they are merged. For example, if two configuration files are specified, the second file can add new options, replace, or extend options declared in the first file. Note that it is not possible to remove or unset a previously declared option. The configuration file allows you to configure various elements, as detailed in the following subsections. ## Configurable elements ### Databases You can add multiple {term}`CVE databases` and {term}`annotation databases`, as described in the [database configuration](database.md#database-configuration) section. Databases are specified within the `[databases]` table. ### Plugins You can configure search paths for loading plugins using the `plugins=` option. This option expects an array of paths, as described in more detail in the [plugins](plugins.md#search-locations) section. If multiple configuration files include the `plugins=` option, the plugin search paths are extended to include all specified paths. ### Arguments You can specify `sbom-cve-check` arguments directly in the configuration file. These arguments are combined with those passed from the command line. To add arguments in the configuration file, include them in the `args=` option within the `[sbom-cve-check]` table. The value of `args=` must be an array of strings. For example, to enable verbose output, you can add the following to a TOML file: ```toml [sbom-cve-check] args = ["-vv"] ``` You can also specify all arguments in the configuration file if needed. For example, with a configuration file named `my-check.toml`: ```toml [sbom-cve-check] args = [ "--sbom-path", "my-image.rootfs.spdx.json", "--export-type", "yocto-cve-check-manifest", "--export-path", "out.json" ] ``` In this case, you only need to run `sbom-cve-check` with the `--config` argument: ```sh sbom-cve-check --config my-check.toml ``` **Note:** If relative paths are used in the `args=` array, they are resolved relative to the current working directory, not relative to the configuration file. Keep this limitation in mind. ## Configuration generation You can generate a configuration file that captures all the settings used during the current execution of the tool. This file includes references to databases, their versions, and the configuration applied, ensuring reproducibility and traceability. To generate this file, use the `--gen-repro-config` flag and specify the output file path for the generated TOML file. For example, the generated configuration file will look like this: ```toml plugins = [] [sbom-cve-check] version = "1.1.0" args = [ "--ignore-default-config", "--sbom-type", "spdx3", "--sbom-path", "/home/user/core-image-minimal-qemuarm.rootfs-20251009150829.spdx.json", "--sbom-annotation-priority", "100", "--no-sbom-obsolete-assessment-check", "--export-filter-vex-status", "under_investigation", "affected", "--export-process-native", "target", "--export-type", "yocto-cve-check-manifest", "--export-path", "/home/user/out.json", ] [databases.db-df75fa3da5f9aa1d9ed834d109641c47] type = "yocto-vex-manifest" name = "core-image-minimal-qemuarm.rootfs-20251009150829.json" priority = 101 obsolete_assessment_check = false path = "/home/user/core-image-minimal-qemuarm.rootfs-20251009150829.json" [databases.db-6061bd924825afe789df126a89638e7d] type = "cve-db-nvd-fkie" name = "nvd-fkie" priority = 50 path = "/home/user/.cache/sbom_cve_check/databases/nvd-fkie" cache_index_path = "/home/user/.cache/sbom_cve_check/databases/nvd-fkie/.sbom-cve-check-cache-index.json" git_url = "https://github.com/fkie-cad/nvd-json-data-feeds.git" auto_update_max_age = "20h" max_age_since_last_commit = true git_ref = "85d3d6c26f07c422388022a474f73fb41bfd4831" git_branch = "main" [databases.db-88fa58ee2922dd1af5aff646df045c9f] type = "cve-db-cvelist" name = "cvelist" priority = 50 path = "/home/user/.cache/sbom_cve_check/databases/cvelist" cache_index_path = "/home/user/.cache/sbom_cve_check/databases/cvelist/.sbom-cve-check-cache-index.json" git_url = "https://github.com/CVEProject/cvelistV5.git" auto_update_max_age = "20h" max_age_since_last_commit = true git_ref = "41ac2ebbc96d246e94a9fc76a6463988b013dd0b" git_branch = "main" ```