I think --offline-vulnerabilities is currently doing more than the docs describe.

docs/offline-mode.md says:

To use offline mode for just the vulnerability database, but allow other features to possibly make network requests (e.g. transitive dependency scanning), you can use the --offline-vulnerabilities flag instead.

My reading of this is that --offline-vulnerabilities should only switch vulnerability matching to the local DB. If a user wants to disable all network access, they should use --offline, which already sets both --offline-vulnerabilities and --no-resolve.

But in current main, both scan paths do this when actions.CompareOffline is set:

if actions.CompareOffline {
    capabilities.Network = plugin.NetworkOffline
}

That happens in:

• pkg/osvscanner/scan.go
• pkg/osvscanner/osvscanner.go

Because Scalibr then filters plugins by capabilities, this drops network-backed plugins, including the transitive dependency enrichers. So --offline-vulnerabilities ends up disabling transitive scanning even when --no-resolve was not passed.

This seems to break the use case from #1339:

Use a local vuln db, but still do transitive scanning in environments with access to the maven registry but not osv.dev.

I think the fix is to separate the two concepts in ScannerActions:

• one flag/action for “use the local vulnerability DB”
• another for “disable network-backed features”

Then CompareOffline can stay focused on selecting the vulnerability matcher, while Scalibr’s NetworkOffline capability is only set for the full --offline mode.

Happy to open a PR if this direction sounds right.