Guided Remediation Docs (#827)

Link: https://michaelkedar.github.io/osv-scanner/experimental/guided-remediation/ Doc page for guided remediation. Will appreciate feedback if things aren't clear or if something's missing. #352
google · Mar 5, 2024 · 5fc5037 · 5fc5037
1 parent f999707
commit 5fc5037
Show file tree

Hide file tree

Showing 12 changed files with 592 additions and 118 deletions.
diff --git a/cmd/osv-scanner/fix/main.go b/cmd/osv-scanner/fix/main.go
@@ -34,7 +34,6 @@ type osvFixOptions struct {
 
 func Command(stdout, stderr io.Writer, r *reporter.Reporter) *cli.Command {
 	return &cli.Command{
-		Hidden:      true, // TODO: un-hide when ready
 		Name:        "fix",
 		Usage:       "[EXPERIMENTAL] scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them",
 		Description: "[EXPERIMENTAL] scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them",

diff --git a/cmd/osv-scanner/fix/state-choose-strategy.go b/cmd/osv-scanner/fix/state-choose-strategy.go
@@ -297,14 +297,14 @@ func (st *stateChooseStrategy) View(m model) string {
 	))
 
 	devString := "YES"
-	if !m.options.DevDeps {
+	if m.options.DevDeps {
 		devString = "NO"
 	}
 	s.WriteString(tui.RenderSelectorOption(
 		st.cursorPos == stateChooseDev,
 		" > ",
 		fmt.Sprintf("%%s: %s\n", devString),
-		"Include dev only",
+		"Exclude dev only",
 	))
 	s.WriteString(tui.RenderSelectorOption(
 		st.cursorPos == stateChooseApplyCriteria,

diff --git a/docs/_sass/custom/custom.scss b/docs/_sass/custom/custom.scss
@@ -0,0 +1,10 @@
+// Always show child pages in the navigation menu
+// https://github.com/just-the-docs/just-the-docs/issues/245#issuecomment-656334333
+.nav-list .nav-list-item > .nav-list {
+  display: block !important;
+}
+
+// Hide the child page expand arrow, since it doesn't do anything
+.nav-list .nav-list-expander {
+  display: none !important;
+}
diff --git a/docs/experimental.md b/docs/experimental.md
@@ -3,127 +3,14 @@ layout: page
 title: Experimental Features
 permalink: /experimental/
 nav_order: 8
+has_children: true
 ---
 
 # Experimental Features
 
 {: .no_toc }
 
-<details open markdown="block">
-  <summary>
-    Table of contents
-  </summary>
-  {: .text-delta }
-- TOC
-{:toc}
-</details>
+These features are currently under development. While their functionality may be subject to change, they are available for you to try.
 
 {: .note }
 Features and flags with the `experimental` prefix might change or be removed with only a minor version update.
-
-## Offline mode
-
-OSV-Scanner now supports offline scanning as an experimental feature. Offline scanning checks your project against a local database instead of calling the OSV.dev API.
-
-### Specify database location
-
-Our offline features require the use of a local database, the location of which is determined through the use of the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable.
-
-The local database file structure is in this form:
-
-```
-{local_db_dir}/
-  osv-scanner/
-    npm/all.zip
-    PyPI/all.zip
-    …
-    {ecosystem}/all.zip
-```
-
-Where `{local_db_dir}` can be set by the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable.
-
-If the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable is _not_ set, OSV-Scanner will attempt to look for the database in the following locations, in this order:
-
-1. The location returned by [`os.UserCacheDir`](https://pkg.go.dev/os#UserCacheDir)
-2. The location returned by [`os.TempDir`](https://pkg.go.dev/os#TempDir)
-
-The database can be [downloaded manually](./experimental.md#manual-database-download) or by using the [`--experimental-local-db` flag](./experimental.md#local-database-option).
-
-### Offline option
-
-The offline database flag `--experimental-offline` causes OSV-Scanner to scan your project against a previously downloaded local database. OSV-Scanner will not download or update the local database, nor will it send any project or dependency information anywhere. When a local database is not present, you will get an error message. No network connection is required when using this flag.
-
-```bash
-osv-scanner --experimental-offline ./path/to/your/dir
-```
-
-### Local database option
-
-The local database flag `--experimental-local-db` causes OSV-Scanner to download or update your local database and then scan your project against it.
-
-```bash
-osv-scanner --experimental-local-db ./path/to/your/dir
-```
-
-### Manual database download
-
-Instead of using the `--experimental-local-db` flag to download the database, it is possible to manually download the database.
-
-A downloadable copy of the OSV database is stored in a GCS bucket maintained by OSV:
-[`gs://osv-vulnerabilities`](https://osv-vulnerabilities.storage.googleapis.com)
-
-This bucket contains zip files containing all vulnerabilities for each ecosystem at:
-`gs://osv-vulnerabilities/<ECOSYSTEM>/all.zip`.
-
-E.g. for PyPI vulnerabilities:
-
-```bash
-gsutil cp gs://osv-vulnerabilities/PyPI/all.zip .
-```
-
-You can also download over HTTP via https://osv-vulnerabilities.storage.googleapis.com/<ECOSYSTEM>/all.zip .
-
-A list of all current ecosystems is available at
-[`gs://osv-vulnerabilities/ecosystems.txt`](https://osv-vulnerabilities.storage.googleapis.com/ecosystems.txt).
-
-Set the location of your manually downloaded database by following the instructions [here](./experimental.md#specify-database-location).
-
-### Limitations
-
-1. Commit level scanning is not supported.
-
-## License scanning
-
-OSV-Scanner supports license checking as an experimental feature. The data comes from the [deps.dev API](https://docs.deps.dev/api/).
-
-### License summary
-
-If you want a summary of your dependencies licenses, use the `--experimental-licenses-summary` flag:
-
-```bash
-osv-scanner --experimental-licenses-summary path/to/repository
-```
-
-### License violations
-
-To set an allowed license list and see the details of packages that do not conform, use the `--experimental-licenses` flag:
-
-```bash
-osv-scanner --experimental-licenses="comma-separated list of allowed licenses" path/to/directory
-```
-
-Include your allowed licenses as a comma-separated list. OSV-Scanner recognizes licenses in SPDX format. Please indicate your allowed licenses using [SPDX license](https://spdx.org/licenses/) identifiers.
-
-#### License violations example
-
-If you wanted to allow the following licenses:
-
-- [BSD 3-Clause "New" or "Revised" License](https://spdx.org/licenses/BSD-3-Clause.html)
-- [Apache License 2.0](https://spdx.org/licenses/Apache-2.0.html)
-- [MIT](https://spdx.org/licenses/MIT.html)
-
-Your command would be in this form:
-
-```bash
-osv-scanner --experimental-licenses="BSD-3-Clause,Apache-2.0,MIT" path/to/directory
-```