diff --git a/docs/supported_languages_and_lockfiles.md b/docs/supported_languages_and_lockfiles.md
index af0c2d54ac..55e229c377 100644
--- a/docs/supported_languages_and_lockfiles.md
+++ b/docs/supported_languages_and_lockfiles.md
@@ -22,19 +22,19 @@ nav_order: 2
A wide range of lockfiles are supported by utilizing this [lockfile package](https://github.com/google/osv-scanner/tree/main/pkg/lockfile).
-| Language | Compatible Lockfile(s) |
-| :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| C/C++ | `conan.lock`
[C/C++ commit scanning](#cc-scanning) |
-| Dart | `pubspec.lock` |
-| Elixir | `mix.lock` |
-| Go | `go.mod` |
-| Java | `buildscript-gradle.lockfile`
`gradle.lockfile`
`gradle/verification-metadata.xml`
`pom.xml`[\*](https://github.com/google/osv-scanner/issues/35) |
-| Javascript | `package-lock.json`
`pnpm-lock.yaml`
`yarn.lock` |
-| PHP | `composer.lock` |
-| Python | `Pipfile.lock`
`poetry.lock`
`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)
`pdm.lock` |
-| R | `renv.lock` |
-| Ruby | `Gemfile.lock` |
-| Rust | `Cargo.lock` |
+| Language | Compatible Lockfile(s) |
+| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
+| C/C++ | `conan.lock`
[C/C++ commit scanning](#cc-scanning) |
+| Dart | `pubspec.lock` |
+| Elixir | `mix.lock` |
+| Go | `go.mod` |
+| Java | `buildscript-gradle.lockfile`
`gradle.lockfile`
`gradle/verification-metadata.xml`
`pom.xml`[\*](#transitive-dependency-scanning) |
+| Javascript | `package-lock.json`
`pnpm-lock.yaml`
`yarn.lock` |
+| PHP | `composer.lock` |
+| Python | `Pipfile.lock`
`poetry.lock`
`requirements.txt`[\*](https://github.com/google/osv-scanner/issues/34)
`pdm.lock` |
+| R | `renv.lock` |
+| Ruby | `Gemfile.lock` |
+| Rust | `Cargo.lock` |
## Alpine Package Keeper and Debian Package Manager
@@ -70,6 +70,14 @@ Submoduled dependencies are included in the project folder retain their Git hist
Vendored dependencies have been directly copied into the project folder, but do not retain their Git histories. OSV-Scanner uses OSV's [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency's version (and associated Git Commit). Vulnerabilities for the estimated version are returned. This process requires no additional work from the user. Run OSV-Scanner as you normally would.
+## Transitive dependency scanning
+
+OSV-Scanner supports transitive dependency scanning for Maven pom.xml. This feature is enabled by default when scanning, but it is disabled in the [offline mode](./offline-mode.md).
+
+OSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all of the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. The support for private registries is [coming soon](https://github.com/google/osv-scanner/issues/1045).
+
+After the dependency resolution, the OSV database is queried for the vulnerabilities associated with these dependencies as usual.
+
## Custom Lockfiles
If you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities.