Skip to content

docs: document data sources and external services#2457

Merged
cuixq merged 4 commits into
google:mainfrom
Ankitsinghsisodya:docs/document-data-sources
Jan 14, 2026
Merged

docs: document data sources and external services#2457
cuixq merged 4 commits into
google:mainfrom
Ankitsinghsisodya:docs/document-data-sources

Conversation

@Ankitsinghsisodya
Copy link
Copy Markdown
Contributor

@Ankitsinghsisodya Ankitsinghsisodya commented Jan 10, 2026

Overview

Issue: #1433

This PR adds a "Data Sources and Privacy" section to the README documenting the external services OSV-Scanner communicates with during operation.

Fixes #1433

Details

Added documentation for:

  • OSV.dev API (/v1/querybatch, /v1/determineversion) - Vulnerability queries and vendored C/C++ detection
  • deps.dev API - License scanning, dependency resolution, and package deprecation
  • Package Registries - Maven Central and npm Registry for native resolution

The section also clarifies that --offline mode disables network requests, and that no source code is transmitted.

Testing

  • Manual review of README formatting and content
  • Verified documentation renders correctly

Checklist

  • I have signed the Contributor License Agreement.
  • I have run the linter using ./scripts/run_lints.sh. (N/A - docs only)
  • I have run the unit tests using ./scripts/run_tests.sh. (N/A - docs only)
  • I have made my commits and PR title follow the Conventional Commits specification.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Jan 10, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.80%. Comparing base (5f791d7) to head (705c4db).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2457   +/-   ##
=======================================
  Coverage   67.80%   67.80%           
=======================================
  Files         172      172           
  Lines       13318    13318           
=======================================
  Hits         9030     9030           
  Misses       3574     3574           
  Partials      714      714

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@cuixq cuixq self-requested a review January 12, 2026 01:43
cuixq
cuixq reviewed Jan 12, 2026
View reviewed changes
Comment thread README.md Outdated
Comment thread README.md
Comment thread README.md
Comment thread README.md
Comment thread README.md Outdated
@Ankitsinghsisodya
docs: document data sources and external services
e1e2d96 
Document the external services OSV-Scanner communicates with:
- OSV.dev API for vulnerability queries
- deps.dev API for license and dependency information
- Package registries (Maven, npm) for native resolution

Fixes google#1433
@Ankitsinghsisodya Ankitsinghsisodya force-pushed the docs/document-data-sources branch from aa9ea1c to e1e2d96 Compare January 12, 2026 04:43
@Ankitsinghsisodya
Copy link
Copy Markdown
Contributor Author

Ankitsinghsisodya commented Jan 12, 2026

@cuixq, I have done all the required changes suggested by you.

cuixq
cuixq approved these changes Jan 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cuixq cuixq left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread README.md Outdated
Comment thread README.md Outdated
cuixq and others added 3 commits January 13, 2026 10:15
@cuixq
Merge branch 'main' into docs/document-data-sources
5b4c50c
@Ankitsinghsisodya
docs: address reviewer feedback on README data sources section
d3bfa13 
- Add link to offline mode documentation for --offline reference
- Clarify native registry wording for dependency resolution
@Ankitsinghsisodya
Merge remote-tracking branch 'refs/remotes/origin/docs/document-data-…
705c4db 
…sources' into docs/document-data-sources
@Ankitsinghsisodya
Copy link
Copy Markdown
Contributor Author

Ankitsinghsisodya commented Jan 13, 2026

Thanks @cuixq! Both suggestions have been applied.

@Ankitsinghsisodya
Copy link
Copy Markdown
Contributor Author

Ankitsinghsisodya commented Jan 13, 2026

@cuixq

@cuixq cuixq merged commit 8dec344 into google:main Jan 14, 2026
18 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jan 15, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cuixq cuixq cuixq approved these changes

@another-rex another-rex another-rex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Document the data and sources that OSV-Scanner uses

4 participants

@Ankitsinghsisodya @codecov-commenter @cuixq @another-rex