Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow offline vulnerability database and transitive resolution to be enabled/disabled separately. #1339

Closed
michaelkedar opened this issue Oct 23, 2024 · 7 comments · Fixed by #1342
Closed

Allow offline vulnerability database and transitive resolution to be enabled/disabled separately. #1339

michaelkedar opened this issue Oct 23, 2024 · 7 comments · Fixed by #1342
Assignees
@michaelkedar
Labels
enhancement New feature or request

Comments

@michaelkedar
Copy link
Member

Currently, enabling offline mode (--experimental-offline) in scanning makes the scanner use a local vulnerability database and disables transitive dependency resolution for Maven pom.xml files.

But there are use cases for having one and not the other, i.e.

With #1286 adding the --experimental-resolution-data-source flag, we could allow setting this to none or disable to disable transitive resolution, and make the --experimental-offline flag affect only the vulnerability database. (But that would mean 'offline mode' may still attempt to make network requests...)
@michaelkedar michaelkedar added the enhancement New feature or request label Oct 23, 2024
@michaelkedar michaelkedar self-assigned this Oct 23, 2024
@cuixq
Copy link
Contributor

cuixq commented Oct 23, 2024
edited
Loading

I think we still should follow the assumption not to make network requests with --experimental-offline flag.

Maybe make this flag to take a string:

  • all or empty: default, no network requests at all
  • vulnerability: use offline database for vulnerability, but performs dependency resolution
  • dependency: does not perform transitive dependency scanning but making requests to OSV

@oliverchang
Copy link
Collaborator

I think we still should follow the assumption not to make network requests with --experimental-offline flag.

Maybe make this flag to take a string:

  • all or empty: default, no network requests at all
  • vulnerability: use offline database for vulnerability, but performs dependency resolution
  • dependency: does not perform transitive dependency scanning but making requests to OSV

+1! But I'd rename dependency to pkg-registry or something similar to be clearer.

@michaelkedar
Copy link
Member Author

  • all or empty: default, no network requests at all

Hm, the desired behaviour seems impossible with urfave/cli:

# using cli.StringFlag
# original behaviour is broken:
> osv-scanner scan --experimental-offline
flag needs an argument: -experimental-offline

> osv-scanner scan --experimental-offline --experimental-download-offline-databases
experimental-offline = "--experimental-download-offline-databases"
experimental-download-offline-databases = false

# now the string is always required:
> osv-scanner scan --experimental-offline all
experimental-offline = "all"
> osv-scanner scan --experimental-offline=vulnerability
experimental-offline = "vulnerability"
> osv-scanner scan --experimental-offline=
experimental-offline = ""

Personally, I'd prefer to keep the --experimental-offline syntax the same as a boolean flag.

How about adding new flags e.g. --experimental-offline-vulnerabilities and --experimental-no-resolve (or --experimental-resolution-data-source=none), and have --experimental-offline set both?

@oliverchang
Copy link
Collaborator

oliverchang commented Oct 23, 2024
edited
Loading

How about adding new flags e.g. --experimental-offline-vulnerabilities and --experimental-no-resolve (or --experimental-resolution-data-source=none), and have --experimental-offline set both?

SGTM, this seems pretty reasonable.

Now that I think about it, I think we also discovered we couldn't have an empty string work as "all" by default for --call-analysis / --no-call-analysis in #513. @hogo6002 is that right?

@cuixq
Copy link
Contributor

cuixq commented Oct 23, 2024

SGTM as well - I am leaning to have --experimental-no-resolve for turning off resolution.

@hogo6002
Copy link
Contributor

Now that I think about it, I think we also discovered we couldn't have an empty string work as "all" by default for --call-analysis / --no-call-analysis in #513. @hogo6002 is that right?

Yeah, I think we can't directly pass an empty string value to a cli.StringFlag, but Gareth mentioned we can use cli.GenericFlag to implement it. #513 (comment)

@oliverchang
Copy link
Collaborator

Now that I think about it, I think we also discovered we couldn't have an empty string work as "all" by default for --call-analysis / --no-call-analysis in #513. @hogo6002 is that right?

Yeah, I think we can't directly pass an empty string value to a cli.StringFlag, but Gareth mentioned we can use cli.GenericFlag to implement it. #513 (comment)

Interesting, but since we didn't go with this for --call-analysis, we should be consistent and just go with an approach that doesn't rely on this. i.e. @michaelkedar 's suggestion in #1339 (comment)

@michaelkedar michaelkedar mentioned this issue Oct 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelkedar michaelkedar

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
4 participants
@oliverchang @michaelkedar @hogo6002 @cuixq