Skip to content

Commit b47f43b

Browse files
cuixqcuixq
authored
Update documentation for transitive dependency scanning (#1040)
1 parent 27db6bf commit b47f43b

File tree

1 file changed

+21
-13
lines changed

1 file changed

+21
-13
lines changed

docs/supported_languages_and_lockfiles.md

+21-13
Original file line numberDiff line numberDiff line change
@@ -22,19 +22,19 @@ nav_order: 2
2222

2323
A wide range of lockfiles are supported by utilizing this [lockfile package](https://github.com/google/osv-scanner/tree/main/pkg/lockfile).
2424

25-
| Language | Compatible Lockfile(s) |
26-
| :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
27-
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
28-
| Dart | `pubspec.lock` |
29-
| Elixir | `mix.lock` |
30-
| Go | `go.mod` |
31-
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`gradle/verification-metadata.xml`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35) |
32-
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
33-
| PHP | `composer.lock` |
34-
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
35-
| R | `renv.lock` |
36-
| Ruby | `Gemfile.lock` |
37-
| Rust | `Cargo.lock` |
25+
| Language | Compatible Lockfile(s) |
26+
| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
27+
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
28+
| Dart | `pubspec.lock` |
29+
| Elixir | `mix.lock` |
30+
| Go | `go.mod` |
31+
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`gradle/verification-metadata.xml`<br>`pom.xml`[\*](#transitive-dependency-scanning) |
32+
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
33+
| PHP | `composer.lock` |
34+
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
35+
| R | `renv.lock` |
36+
| Ruby | `Gemfile.lock` |
37+
| Rust | `Cargo.lock` |
3838

3939
## Alpine Package Keeper and Debian Package Manager
4040

@@ -70,6 +70,14 @@ Submoduled dependencies are included in the project folder retain their Git hist
7070

7171
Vendored dependencies have been directly copied into the project folder, but do not retain their Git histories. OSV-Scanner uses OSV's [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency's version (and associated Git Commit). Vulnerabilities for the estimated version are returned. This process requires no additional work from the user. Run OSV-Scanner as you normally would.
7272

73+
## Transitive dependency scanning
74+
75+
OSV-Scanner supports transitive dependency scanning for Maven pom.xml. This feature is enabled by default when scanning, but it is disabled in the [offline mode](./offline-mode.md).
76+
77+
OSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all of the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. The support for private registries is [coming soon](https://github.com/google/osv-scanner/issues/1045).
78+
79+
After the dependency resolution, the OSV database is queried for the vulnerabilities associated with these dependencies as usual.
80+
7381
## Custom Lockfiles
7482

7583
If you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities.

0 commit comments

Comments
 (0)