Skip to content

fix: Update to support OSS Index Authentication Requirements #7920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 20, 2025
Merged

fix: Update to support OSS Index Authentication Requirements #7920

merged 7 commits into from
Sep 20, 2025

Conversation

framayo
Copy link
Contributor

@framayo framayo commented Sep 9, 2025

Description of Change

Sonatype announced that API token will be required soon.
Update the documentation to instruct users on how to get it.
image

Related issues

relates to #7919

Have test cases been added to cover the new functionality?

no

@boring-cyborg boring-cyborg bot added the documentation site documentation label Sep 9, 2025
@framayo framayo changed the title Add information on how to get an API token for OSS Index docs: add information on how to get an API token for OSS Index Sep 9, 2025
@jeremylong
Copy link
Collaborator

While the documentation is good - we may need to disable the analyzer by default unless an API key is provided...

@boring-cyborg boring-cyborg bot added the core changes to core label Sep 17, 2025
@framayo
If OssIndexAnalyzer is enabled, check if credentials are set before a…
d62a5e2 
…nalyzing:

Set credentials and call prepareAnalyzer on tests to mimic the app behavior.
@boring-cyborg boring-cyborg bot added the tests test cases label Sep 18, 2025
@framayo
Copy link
Contributor Author

framayo commented Sep 18, 2025

@jeremylong thanks for your feedback!
I've updated the PR validating if the credentials are set before analyzing.
I had to modify the enrich test to use a mock response because it was hitting ossindex.sonatype.org, and it would require real user and token once the authentication enforcement is in place.

jeremylong
jeremylong reviewed Sep 20, 2025
View reviewed changes
jeremylong
jeremylong reviewed Sep 20, 2025
View reviewed changes
jeremylong
jeremylong previously approved these changes Sep 20, 2025
View reviewed changes
@jeremylong jeremylong changed the title docs: add information on how to get an API token for OSS Index fix: Update to support OSS Index Authentication Requirements Sep 20, 2025
@jeremylong
Copy link
Collaborator

In an email received from Sonatype - it appears the enforcement will begin on 9/22/2025:

We are committed to making this transition as smooth as possible. Enforcement will begin on 09/22/2025. If you have any questions or concerns, please contact us at [email protected]
Thank you for your continued use of OSS Index.

@jeremylong jeremylong merged commit 812793d into dependency-check:main Sep 20, 2025
9 checks passed
@jeremylong
Copy link
Collaborator

Thank you for the PR!!! Really appreciate it.

@jeremylong jeremylong added this to the 12.1.4 milestone Sep 20, 2025
marcelstoer
marcelstoer reviewed Sep 20, 2025
View reviewed changes
core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@Override
protected void prepareAnalyzer(Engine engine) throws InitializationException {
synchronized (FETCH_MUTIX) {
if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY)) ||
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you intentionally ignore the ossIndexServerId property here? Or is this method only called after user/pw were already resolved from the settings.xml (via server ID)?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only called after this is configured in the mojo.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and in hindsight - this probably should have been a breaking change as most users will now get an exception...

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't they have gotten an exception anyway? Either from ODC or from Sonatype?

disable the analyzer by default unless an API key is provided

I think this would have been the best course of action (accompanied by a warning in the log).

In an email received from Sonatype - it appears the enforcement will begin on 9/22/2025:

I didn't consider this very community friendly; received the email on the 16th...

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I have enough time I was going to put more work into this tomorrow and possibly one more quick release. Disable by default, enabling by either providing creds or setting enabled=true (and flipping the CLI's disable to enableOssIndex). Just not sure if I will have time.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To disable the analyzer by default would be great. I have a lot failed builds on our CI server now. I don't want to update the configuration for all of them. Or is it possible to to that by an environment variable?

Copy link
Contributor

@nMoncho nMoncho Sep 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I'd have to agree with @AndreVirtimo here. Disabling the analyzer if the credentials are empty seems like the way to go. If users want to use OSS Index to analyze their dependencies, they setup an account, otherwise the analyzer is skipped.

We'll wait for your release @jeremylong, so we can update sbt-dependecy-check. Please let us know if we can help somehow.

Edit: Feel free to take a look at #7963

@chadlwilson chadlwilson mentioned this pull request Sep 22, 2025
Closed
1 task
@nMoncho nMoncho mentioned this pull request Sep 23, 2025
Merged
@dnorton dnorton mentioned this pull request Sep 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jeremylong jeremylong jeremylong approved these changes

+3 more reviewers

@marcelstoer marcelstoer marcelstoer left review comments

@nMoncho nMoncho nMoncho left review comments

@AndreVirtimo AndreVirtimo AndreVirtimo left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
core changes to core documentation site documentation tests test cases
Projects
None yet
Milestone
12.1.5
Development

Successfully merging this pull request may close these issues.
5 participants
@framayo @jeremylong @marcelstoer @nMoncho @AndreVirtimo