Skip to content

fix: keep transitive scanning with --offline-vulnerabilities#2783

Merged
another-rex merged 4 commits into
google:mainfrom
gotgolem:fix/offline-vulnerabilities-transitive
May 29, 2026
Merged

fix: keep transitive scanning with --offline-vulnerabilities#2783
another-rex merged 4 commits into
google:mainfrom
gotgolem:fix/offline-vulnerabilities-transitive

Conversation

@gotgolem

@gotgolem gotgolem commented May 7, 2026

Copy link
Copy Markdown
Contributor

Overview

Fixes #2775.

--offline-vulnerabilities is documented as only switching vulnerability matching to the local DB, but it was also causing Scalibr to filter out network-backed plugins.
That meant transitive dependency scanning was disabled even when --no-resolve was not passed.

This PR keeps that behavior scoped to the full --offline flag instead.

Details

I added a separate ScannerActions.PluginNetworkDisabled field and wire it from --offline.

CompareOffline still controls the local vulnerability DB path. The source and container scan paths now use PluginNetworkDisabled when setting Scalibr's network capability.

License behavior under --offline-vulnerabilities is intentionally left unchanged in this PR.

Testing

  • go test ./pkg/osvscanner ./cmd/osv-scanner/internal/helper
  • go test ./cmd/osv-scanner/scan/source -run TestCommand_Transitive -count=1

Also ran:

  • ./scripts/run_tests.sh
    • Fails locally on unrelated snapshot drift from external data changes.

Checklist

@gotgolem gotgolem force-pushed the fix/offline-vulnerabilities-transitive branch 3 times, most recently from ee57ce6 to d407f3d Compare May 8, 2026 04:56
@codecov-commenter

codecov-commenter commented May 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.29%. Comparing base (bc422e5) to head (c6d3c01).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2783      +/-   ##
==========================================
+ Coverage   79.26%   79.29%   +0.02%     
==========================================
  Files         122      122              
  Lines        8258     8259       +1     
==========================================
+ Hits         6546     6549       +3     
+ Misses       1329     1328       -1     
+ Partials      383      382       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gotgolem gotgolem force-pushed the fix/offline-vulnerabilities-transitive branch 5 times, most recently from 382bf3d to 10ba3e1 Compare May 22, 2026 03:46
@another-rex another-rex requested a review from cuixq May 26, 2026 06:12

@another-rex another-rex left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

"github.com/google/osv-scalibr/plugin"
)

func Test_networkCapability(t *testing.T) {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not too sure if this test is that useful, since it's just testing 1 if statement essentially.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, fair point.

I added it as a regression guard for the CompareOffline / PluginNetworkDisabled split, but the transitive scan test covers the user-visible behavior. I can drop this one if you prefer :)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm... Let's keep it for now since it runs pretty fast, if we find it causing friction later we can remove it.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good, thanks for the review!

@gotgolem gotgolem force-pushed the fix/offline-vulnerabilities-transitive branch from 10ba3e1 to 3f672da Compare May 27, 2026 08:56
@another-rex another-rex merged commit dd086cf into google:main May 29, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

--offline-vulnerabilities also disables transitive scanning

4 participants