Xueqin Cui
Xueqin Cui
I mark this PR to draft - the registries should not be added when importing dependencies, but that is now done by `MergeParents` for all cases.
Yes - I have added `backlog` tag.
I believe Maven does not allow dependencies without requirements declared. Can you give an example where you observe Maven dependencies without version requirements?
As far as I know, OSV-Scanner should be able to resolve version requirements from dependency management or parent. For the pom.xml that you provided, `` and `` tags are missing....
License scanning usually involves sending requests to [deps.dev API](https://docs.deps.dev/api/) so it will be a bit tricky to have this in offline mode. However, we are exploring the alternative of getting...
I think we should fix the data instead of striping the suffix since the same package with different suffices, for example `org.apache.kafka:kafka_2.12` and `org.apache.kafka:kafka_2.13` are considered as different packages and...
Some updates regarding this issue: - There is a [MavenRegistryAPIClient](https://github.com/google/osv-scanner/blob/main/internal/resolution/datasource/maven_registry.go) to talk to a Maven registry directly for metadata. Currently the URL is hard-coded to Maven Central, and we would...
There is one optimisation PR in progress and this can be closed after that.
@sureshkrishnan-v feel free to work on this issue!
Transitive scanning for Maven is disabled in the [offline mode](https://google.github.io/osv-scanner/experimental/offline-mode/) - does this help with your use case?