Xueqin Cui

I may not understand your comment above - projects in other languages are also scanned with the offline mode. Can you explain a bit more on what parameter you want?

I don't think we have parameters to control what projects to be scanned offline.

I think this is related to this feature request - [supporting private registry for Maven](https://github.com/google/osv-scanner/issues/1045). For the snapshot versions in `mavne-metadata.xml`, I think this is for snapshot remote repositories based...

@Malayke do you know any documentation or more examples about this? The [link](https://repository.apache.org/content/repositories/snapshots/org/apache/maven/plugins/maven-jar-plugin/3.3.0-SNAPSHOT/maven-metadata.xml) on this [page](https://maven.apache.org/repositories/metadata.html#the-v-level-metadata) returns 404 :(

Hi @Malayke do you mean a custom Maven registry URL instead of the hard-coded Maven Central URL? We definitely would like to support that.

Yes - supporting Maven private registries https://github.com/google/osv-scanner/issues/1045 is one of our priorities. We do plan to make the Maven repository URL configurable. I will update the mentioned bug with more...

You should be able to use [`--maven-registry`](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#data-source) to specify the URL of the private registry that you want to fetch Maven artifacts.

It seems `composer` does not complain about strings and valid numbers (for example `"version":20190220` or `"version":1.2`) but complains about invalid numbers (for example `"version":1.2.3`).

I think the linter is doing its work - we need to add comments to these packages.

can you add some description for this PR?