Does the OSV Tool save or cache our query results? #1131
-
Hello, if I wanted to use the OSV tool to scan repositories that have classified and or proprietary |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Hi, You can inspect our API implementation code at https://github.com/google/osv.dev/tree/master/gcp/api to see what it logs. The premise of your request is one of the drivers for google/osv-scanner#81, FYI (with the caveat that it won't be possible for commit-based lookups). In terms of what queries get logged by the GCP infrastructure that implements the API, I can state (unfortunately without any particularly good way for you to independently verify) that the logging is pretty light at this point in time. https://cloud.google.com/endpoints/docs/openapi/ref-endpoints-logs discusses what Cloud Endpoints logs. I just went and took a look at the logs, and as expected, because the two API calls OSV Scanner uses are HTTP POST-based, the contents of the requests are not included.
The data sent in these requests is either a Git commit hash or an ecosystem-specific identifier (ESI), namely the package name, the ecosystem name, optionally the purl and a version string. |
Beta Was this translation helpful? Give feedback.
Hi,
You can inspect our API implementation code at https://github.com/google/osv.dev/tree/master/gcp/api to see what it logs.
The premise of your request is one of the drivers for google/osv-scanner#81, FYI (with the caveat that it won't be possible for commit-based lookups).
In terms of what queries get logged by the GCP infrastructure that implements the API, I can state (unfortunately without any particularly good way for you to independently verify) that the logging is pretty light at this point in time.
https://cloud.google.com/endpoints/docs/openapi/ref-endpoints-logs discusses what Cloud Endpoints logs. I just went and took a look at the logs, and as expected, because the two API c…