Does the OSV Tool save or cache our query results?

[bruT3-Squ4D]

Hello, if I wanted to use the OSV tool to scan repositories that have classified and or proprietary
applications in it, does the information we query get saved by you in any way? I'm developing an application for work, and we'd like to use this tool's web API on some sensitive systems, but want to make sure the queries and vulnerability results for specific git hashes, and even the git commit hashes themselves, are not being saved by the tool and the API in any way.

[andrewpollock]

Hi,

You can inspect our API implementation code at https://github.com/google/osv.dev/tree/master/gcp/api to see what it logs.

The premise of your request is one of the drivers for google/osv-scanner#81, FYI (with the caveat that it won't be possible for commit-based lookups).

In terms of what queries get logged by the GCP infrastructure that implements the API, I can state (unfortunately without any particularly good way for you to independently verify) that the logging is pretty light at this point in time.

https://cloud.google.com/endpoints/docs/openapi/ref-endpoints-logs discusses what Cloud Endpoints logs. I just went and took a look at the logs, and as expected, because the two API calls OSV Scanner uses are HTTP POST-based, the contents of the requests are not included.

• https://osv.dev/docs/#tag/api/operation/OSV_QueryAffected
• https://osv.dev/docs/#tag/api/operation/OSV_QueryAffectedBatch

The data sent in these requests is either a Git commit hash or an ecosystem-specific identifier (ESI), namely the package name, the ecosystem name, optionally the purl and a version string.

[bruT3-Squ4D]

Hey,

Thanks again

[andrewpollock]

I also filed google/osv-scanner#303 based on your question.