osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard
verified publisher icon google

Support a --no-resolve flag to avoid resolving transitive dependencies during scanning

Open jsqfengbao opened this issue 1 year ago • 10 comments

Transitive dependencies cannot be fixed. If I want to use only the direct dependencies of the Maven project pom without using transitive dependencies, how can I pass parameters?

jsqfengbao avatar Jul 15 '24 07:07 jsqfengbao

Transitive scanning for Maven is disabled in the offline mode - does this help with your use case?

cuixq avatar Jul 15 '24 20:07 cuixq

Transitive scanning for Maven is disabled in the offline mode - does this help with your use case?

Can a parameter be added to control this? Because not only Maven projects, but also projects in other languages ​​need to be scanned.

jsqfengbao avatar Jul 16 '24 01:07 jsqfengbao

I may not understand your comment above - projects in other languages are also scanned with the offline mode. Can you explain a bit more on what parameter you want?

cuixq avatar Jul 16 '24 22:07 cuixq

I may not understand your comment above - projects in other languages are also scanned with the offline mode. Can you explain a bit more on what parameter you want?

That is, if I want to perform a direct dependency scan on a JAVA project, I can only use offline mode, and there is no parameter to control the offline mode. But non-JAVA projects can be scanned in online mode. My question is, can I add a parameter when passing parameters? If -r = false, it is a direct dependency, and -r = true is a transitive dependency scan.

jsqfengbao avatar Jul 16 '24 23:07 jsqfengbao

I don't think we have parameters to control what projects to be scanned offline.

cuixq avatar Jul 17 '24 17:07 cuixq

Re "Transitive dependencies cannot be fixed", we're currently actively working on fixing this part via Java support for https://google.github.io/osv-scanner/experimental/guided-remediation/.

That said, this issue seems to be requesting a --no-resolve flag of some sort, so I'll rename the issue title to capture this better.

oliverchang avatar Jul 18 '24 04:07 oliverchang

As @cuixq mentioned earlier, --offline should work for this use case, but it disables both resolution and OSV.dev API usage which may not be ideal.

oliverchang avatar Jul 18 '24 04:07 oliverchang

Re "Transitive dependencies cannot be fixed", we're currently actively working on fixing this part via Java support for https://google.github.io/osv-scanner/experimental/guided-remediation/.

That said, this issue seems to be requesting a --no-resolve flag of some sort, so I'll rename the issue title to capture this better.

Good, this is what I need。 --no-resolve flag. Because transitive dependencies can be scanned but hard to be repaired

jsqfengbao avatar Jul 18 '24 06:07 jsqfengbao

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

github-actions[bot] avatar Sep 17 '24 00:09 github-actions[bot]

Automatically closing stale issue

github-actions[bot] avatar Oct 01 '24 00:10 github-actions[bot]