scan source -r does not detect osv-scanner.json

[egonk]

osv-scanner scan source -r . detects lockfiles automatically but does not detect osv-scanner.json and so -L must be used to list all osv-scanner.json files in the tree. It would be nice if osv-scanner.json was also detected as a lockfile.

It is possible that this is an X-Y problem - I generate osv-scanner.json in two cases:

• C/C++ git commit dependencies (I don't use git submodules, but my own script to clone into cache folder, I didn't find another way to pass commit IDs with SBOMs that OSV-Scanner would recognize)
• old chunks of code with a license (I use a fake package name with code description and a fake commit to attach a license via override in osv-scanner.toml to take advantage of OSV-Scanner license violation feature)

I wouldn't need osv-scanner.json if there was a better way to solve these two cases. Also the second case would be already improved if I could set commit "0" instead of some fake SHA256 which would be ignored and not really sent to osv.dev.

[another-rex]

Thanks for telling us the use cases! I can see just adding something like osv-scanner-custom.json as a valid lockfile type as a short term fix, but we definitely want to help make those two use cases easier so you don't have to have this workaround.

I'll add this as a discussion point with the team next week.

[github-actions[bot]]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.