From 24aca23f4b6551918f4d2d539b8d30ca6547b19b Mon Sep 17 00:00:00 2001
From: Xueqin Cui <72771658+cuixq@users.noreply.github.com>
Date: Thu, 24 Oct 2024 13:36:55 +1100
Subject: [PATCH] docs: update documentation about Maven registry support
 (#1340)

https://github.com/google/osv-scanner/pull/1286 adds support for Maven
registry during resolution.

As a follow up, this PR updates the documentation for transitive
scanning about specifying data source during resolution as well as
specifying Maven registry.

This PR also corrects the deps.dev API version we are using.

We also need to update the documentation in
https://github.com/google/osv-scanner/pull/1181.
---
 docs/guided-remediation.md                | 2 +-
 docs/supported_languages_and_lockfiles.md | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/docs/guided-remediation.md b/docs/guided-remediation.md
index 858c791ee6b..ffd7f87586b 100644
--- a/docs/guided-remediation.md
+++ b/docs/guided-remediation.md
@@ -249,7 +249,7 @@ The following flag may be used to limit the patches allowed for your dependencie
 
 ### Data source
 
-By default, we use the [deps.dev API](https://docs.deps.dev/api/v3alpha/) to find version and dependency information of packages during remediation.
+By default, we use the [deps.dev API](https://docs.deps.dev/api/) to find version and dependency information of packages during remediation.
 
 If instead you'd like to use your ecosystem's native registry API (e.g. `https://registry.npmjs.org`), you can use the `--data-source=native` flag. `osv-scanner fix` will attempt to use the authentication specified by the native tooling (e.g. `npm config`)
 
diff --git a/docs/supported_languages_and_lockfiles.md b/docs/supported_languages_and_lockfiles.md
index 0abd7c0c414..9eb912d2d07 100644
--- a/docs/supported_languages_and_lockfiles.md
+++ b/docs/supported_languages_and_lockfiles.md
@@ -81,6 +81,14 @@ After the dependency resolution, the OSV database is queried for the vulnerabili
 {: .note }
 Test dependencies are not supported yet in the computed dependency graph for Maven pom.xml.
 
+### Data source
+
+By default, we use the [deps.dev API](https://docs.deps.dev/api/v3/) to find version and dependency information of packages during transitive scanning.
+
+If instead you'd like to fetch data from [Maven Central](https://repo.maven.apache.org/maven2/), you can use the `--experimental-resolution-data-source=native` flag.
+
+If your project uses mirrored or private registries, in addition to setting `--experimental-resolution-data-source=native`, you will need to use the `--experimental-maven-registry=<full-registry-url>` flag to specify the registry (e.g. `--experimental-maven-registry=https://repo.maven.apache.org/maven2/`).
+
 ## Custom Lockfiles
 
 If you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities.