Xueqin Cui

icon company Google icon location Sydney icon location deps.dev osv.dev osv-scanner

Results 25 issues of Xueqin Cui

Add a client to fetch vulnerabilities from osv.dev

Something like [internal/resolution/client/osv_client.go](https://github.com/google/osv-scanner/blob/main/internal/resolution/client/osv_client.go) This will be helpful for testing (mocking the client instead of fetching directly from OSV.dev API).

V2 Wishlist

Deprecate parser in `pkg/lockfile`

1 comment

[Parser](https://github.com/google/osv-scanner/blob/main/pkg/lockfile/parse.go) is no longer being used so we probably should remove it.

V2 Wishlist

Refactor deps.dev clients

Currently there are multiple places that we make a `deps.dev` client: - [pkg/depsdev/license.go](https://github.com/google/osv-scanner/blob/main/pkg/depsdev/license.go): fetching licenses from deps.dev - [internal/resolution/client/depsdev_client.go](https://github.com/google/osv-scanner/blob/main/internal/resolution/client/depsdev_client.go): dependency resolution required by guided remediation - [internal/manifest/maven.go](https://github.com/google/osv-scanner/blob/main/internal/manifest/maven.go): transitive dependency support...

V2 Wishlist

feat: fetch Maven metadata from specified repositories

1 comment

https://github.com/google/osv-scanner/issues/1045 There are [repositories](https://maven.apache.org/pom.html#Repositories) defined in a Maven pom.xml. When looking for an artifact, these repositories are searched one by one until the artifact is found. Maven Central is the...

Do not fetch snapshots from the Maven repository disabling that

Currently, by default, we fetch snapshots from all Maven repositories. However, snapshot can be disabled for a repository ([ref](https://maven.apache.org/pom.html#repositories)). We should take this into consideration when fetching projects from a...

enhancement

Read Maven configurations from `settings.xml`

3 comment

`settings.xml` contains the information about: - registry: local repository, remote repository servers, and authentication information - project: profiles and properties To give a better support for Maven dependency resolution, configurations...

enhancement
backlog

Unexpected diff when writing XML

4 comment

Texts are escaped to `	` when we write XML in Maven updater. Go does escaping in `EncodeToken`: https://github.com/golang/go/blob/master/src/encoding/xml/marshal.go#L223

bug
guided remediation

Show the vulnerable path when doing transitive dependency scanning

1 comment

Currently we only show vulnerabilities for transitive dependencies but not the path how we depend on the vulnerable dependency. Considering the lack of lockfile for these ecosystem, it will be...

enhancement
backlog

Document the data and sources that OSV-Scanner uses

OSV-Scanner sends data to various services for different purposes: - OSV.dev for vulnerabilities - deps.dev for license information and dependency resolution - Maven registries for package and version metadata -...

documentation
V2 Wishlist

Guided Remediation for Python requirements.txt

TODOs: - [ ] PyPI registry client - [ ] API client for resolver - [x] pip dependency resolution - [ ] manifest reader - [ ] manifest writer -...