osv: re-enable transitive scanning without pypi (#4848)

spencerschrock · web-flow · commit 80ee3ecfedf8 · 2025-11-13T12:49:44.000-07:00
Plugins are a new osv-scanner/osv-scalibr way of disabling specific
features, which give us finer control over what features to toggle.

Signed-off-by: Spencer Schrock &lt;sschrock@google.com&gt;
diff --git a/clients/osv.go b/clients/osv.go
@@ -61,10 +61,10 @@ func (v osvClient) ListUnfixedVulnerabilities(
 		GitCommits:        gitCommits,
 		CompareOffline:    v.local,
 		DownloadDatabases: v.local,
+		// swap out the transitive requirements scanning for offline extractor
 		ExperimentalScannerActions: osvscanner.ExperimentalScannerActions{
-			TransitiveScanningActions: osvscanner.TransitiveScanningActions{
-				Disabled: true,
-			},
+			PluginsEnabled:  []string{"python/requirements"},
+			PluginsDisabled: []string{"python/requirementsenhanceable"},
 		},
 	}) // TODO: Do logging?
 
