Skip to content

Commit

Permalink
Update documentation for transitive dependency scanning (#1040)
Browse files Browse the repository at this point in the history
  • Loading branch information
@cuixq
cuixq authored Jun 19, 2024
1 parent 27db6bf commit b47f43b
Showing 1 changed file with 21 additions and 13 deletions.
34 changes: 21 additions & 13 deletions docs/supported_languages_and_lockfiles.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,19 @@ nav_order: 2

A wide range of lockfiles are supported by utilizing this [lockfile package](https://github.com/google/osv-scanner/tree/main/pkg/lockfile).

| Language | Compatible Lockfile(s) |
| :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
| Dart | `pubspec.lock` |
| Elixir | `mix.lock` |
| Go | `go.mod` |
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`gradle/verification-metadata.xml`<br>`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35) |
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
| PHP | `composer.lock` |
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
| R | `renv.lock` |
| Ruby | `Gemfile.lock` |
| Rust | `Cargo.lock` |
| Language | Compatible Lockfile(s) |
| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
| C/C++ | `conan.lock`<br>[C/C++ commit scanning](#cc-scanning) |
| Dart | `pubspec.lock` |
| Elixir | `mix.lock` |
| Go | `go.mod` |
| Java | `buildscript-gradle.lockfile`<br>`gradle.lockfile`<br>`gradle/verification-metadata.xml`<br>`pom.xml`[\*](#transitive-dependency-scanning) |
| Javascript | `package-lock.json`<br>`pnpm-lock.yaml`<br>`yarn.lock` |
| PHP | `composer.lock` |
| Python | `Pipfile.lock`<br>`poetry.lock`<br>`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)<br>`pdm.lock` |
| R | `renv.lock` |
| Ruby | `Gemfile.lock` |
| Rust | `Cargo.lock` |

## Alpine Package Keeper and Debian Package Manager

Expand Down Expand Up @@ -70,6 +70,14 @@ Submoduled dependencies are included in the project folder retain their Git hist

Vendored dependencies have been directly copied into the project folder, but do not retain their Git histories. OSV-Scanner uses OSV's [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency's version (and associated Git Commit). Vulnerabilities for the estimated version are returned. This process requires no additional work from the user. Run OSV-Scanner as you normally would.

## Transitive dependency scanning

OSV-Scanner supports transitive dependency scanning for Maven pom.xml. This feature is enabled by default when scanning, but it is disabled in the [offline mode](./offline-mode.md).

OSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all of the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. The support for private registries is [coming soon](https://github.com/google/osv-scanner/issues/1045).

After the dependency resolution, the OSV database is queried for the vulnerabilities associated with these dependencies as usual.

## Custom Lockfiles

If you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities.
Expand Down

0 comments on commit b47f43b

Please sign in to comment.