docs: update documentation about Maven registry support (#1340)

#1286 adds support for Maven registry during resolution. As a follow up, this PR updates the documentation for transitive scanning about specifying data source during resolution as well as specifying Maven registry. This PR also corrects the deps.dev API version we are using. We also need to update the documentation in #1181.
google · Oct 24, 2024 · 24aca23 · 24aca23
1 parent e054385
commit 24aca23
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/docs/guided-remediation.md b/docs/guided-remediation.md
@@ -249,7 +249,7 @@ The following flag may be used to limit the patches allowed for your dependencie
 
 ### Data source
 
-By default, we use the [deps.dev API](https://docs.deps.dev/api/v3alpha/) to find version and dependency information of packages during remediation.
+By default, we use the [deps.dev API](https://docs.deps.dev/api/) to find version and dependency information of packages during remediation.
 
 If instead you'd like to use your ecosystem's native registry API (e.g. `https://registry.npmjs.org`), you can use the `--data-source=native` flag. `osv-scanner fix` will attempt to use the authentication specified by the native tooling (e.g. `npm config`)
 

diff --git a/docs/supported_languages_and_lockfiles.md b/docs/supported_languages_and_lockfiles.md
@@ -81,6 +81,14 @@ After the dependency resolution, the OSV database is queried for the vulnerabili
 {: .note }
 Test dependencies are not supported yet in the computed dependency graph for Maven pom.xml.
 
+### Data source
+
+By default, we use the [deps.dev API](https://docs.deps.dev/api/v3/) to find version and dependency information of packages during transitive scanning.
+
+If instead you'd like to fetch data from [Maven Central](https://repo.maven.apache.org/maven2/), you can use the `--experimental-resolution-data-source=native` flag.
+
+If your project uses mirrored or private registries, in addition to setting `--experimental-resolution-data-source=native`, you will need to use the `--experimental-maven-registry=<full-registry-url>` flag to specify the registry (e.g. `--experimental-maven-registry=https://repo.maven.apache.org/maven2/`).
+
 ## Custom Lockfiles
 
 If you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities.