search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.12k stars 344 forks source link

Inquiry about the plans for the experimental offline mode #1229

Open chheda-deshaw opened 1 week ago

chheda-deshaw commented 1 week ago

First, I'd like to express my appreciation for the work you've done with OSV-Scanner. It's a valuable tool for our projects, especially the Call Analysis for Go and Rust

We only want to use the experimental offline mode inside our firms network. I wanted to inquire about the team's plans regarding this feature:

Understanding the future direction for the offline mode would help us plan our usage accordingly and keep the users happy.

oliverchang commented 1 week ago

Hi, thank you for the interest!

Are there any plans to keep the experimental offline mode long-term?

Yes, this is intended to be a long term feature.

Is there an estimated timeline for when this feature might either be removed or moved to production?

Our goal with keeping this experimental was to collect feedback before we promote this to a stable flag and commit to stability. @chheda-deshaw Do you have any feedback for this flag before we do this?

@another-rex @G-Rath I don't think we've gotten any other feedback that indicates we need to change anything here right? Should we look at promoting this to stable?

cuixq commented 1 week ago

Moving experimental features to production is one of our v2 wishlist - @another-rex and I are evaluating the experimental features.

chheda-deshaw commented 1 week ago

Yes, this is intended to be a long term feature.

Great! Thank you.

Do you have any feedback for this flag before we do this?

The Offline mode in itself works pretty well. I would wish for an easier way to manually download the entire DB. I had some problems with the --experimental-download-offline-databases flag, maybe due to my air-gapped internal network. I understand the need for segregating it into ecosystems but there could also be an option for downloading the entire DB in the required format. Right now, I have written a script to over all the ecosystems, download the zips and form the required directory structure.