osv-scanner
osv-scanner copied to clipboard
google
Refactor deps.dev clients
Currently there are multiple places that we make a deps.dev client:
- pkg/depsdev/license.go: fetching licenses from deps.dev
- internal/resolution/client/depsdev_client.go: dependency resolution required by guided remediation
- internal/manifest/maven.go: transitive dependency support when scanning Maven pom.xml (this is the same as what is required by guided remediation)
Instead of having multiple places of deps.dev clients, we probably should consolidate them into one place (for example pkg/depsdev) and make all the places to depend on that package.
Also, currently in pkg/depsdev/license.go, responses from deps.dev are already processed to specific data structures, maybe we should keep the responses as what they were and process them in the caller depending on what we need.
