Skip to content

Update documentation for transitive dependency scanning #1040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 19, 2024
Merged

Update documentation for transitive dependency scanning #1040

Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c97cb5b
Update documentation for transitive dependency scanning
cuixq Jun 12, 2024
76ce56d
formatter
cuixq Jun 14, 2024
58092bd
addressing comments
cuixq Jun 17, 2024
433329b
Merge branch 'main' into documentation
cuixq Jun 17, 2024
c815f92
a little bit change
cuixq Jun 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 21 additions & 13 deletions docs/supported_languages_and_lockfiles.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,19 @@ nav_order: 2

A wide range of lockfiles are supported by utilizing this [lockfile package](https://github.com/google/osv-scanner/tree/main/pkg/lockfile).

| Language | Compatible Lockfile(s) |
| :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
| Dart | `pubspec.lock` |
| Elixir | `mix.lock` |
| Go | `go.mod` |
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`gradle/verification-metadata.xml`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35) |
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
| PHP | `composer.lock` |
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
| R | `renv.lock` |
| Ruby | `Gemfile.lock` |
| Rust | `Cargo.lock` |
| Language | Compatible Lockfile(s) |
| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
| Dart | `pubspec.lock` |
| Elixir | `mix.lock` |
| Go | `go.mod` |
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`gradle/verification-metadata.xml`<br>`pom.xml`[\*](#transitive-dependency-scanning) |
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
| PHP | `composer.lock` |
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
| R | `renv.lock` |
| Ruby | `Gemfile.lock` |
| Rust | `Cargo.lock` |

## Alpine Package Keeper and Debian Package Manager

Expand Down Expand Up @@ -70,6 +70,14 @@ Submoduled dependencies are included in the project folder retain their Git hist

Vendored dependencies have been directly copied into the project folder, but do not retain their Git histories. OSV-Scanner uses OSV's [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency's version (and associated Git Commit). Vulnerabilities for the estimated version are returned. This process requires no additional work from the user. Run OSV-Scanner as you normally would.

## Transitive dependency scanning

OSV-Scanner supports transitive dependency scanning for Maven pom.xml. This feature is enabled by default when scanning, but it is disabled in the [experimental offline mode](./offline-mode.md).

OSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all of the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. The support for private registries is [coming soon](https://github.com/google/osv-scanner/issues/1045).

After the dependency resolution, the OSV database is queried for the vulnerabilities associated with these dependencies.

## Custom Lockfiles

If you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities.
Expand Down
Loading