Add ability to use OSS Index APIKey instead of username/password

[pwagland]

When using keys in a continuous build system it is always preferable to use a key as opposed to a username/password, as if the key is compromised, it doesn't lead to the username being leaked, as well an any password re-use that might happen.

Describe the solution you'd like
Add a --ossIndexApiKey that allows the usage of the ApiKey instead of username/password.

Describe alternatives you've considered
We can use username/password.

Additional context
General security guidelines prefer to use a key instead of the username/password.

[pwagland]

I noticed this when trying if an account for OSS Index solved the NPE in #4513.

[adam-siklosi]

You can supply an api token in the password configuration as the documentation describes:
https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-aggregate.html
The password or API token to connect to Sonatype's OSS Index.

[pwagland]

Hmm. I was mislead by the code then, since it appears to require both the username and the password to be configured: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/data/ossindex/OssindexClientFactory.java#L80-L83

[adam-siklosi]

Yesterday we were fiddling around and there is something weird. First time it worked if you supply only the api token in the password. Afterwards only worked if you supply the user and the token in the password field. (this has been tested 2 times independently from different machines) It was probably some kind of caching issue which confused me. (I didn't check the code that time)

I think you are right that the username shouldn't be mandatory.

[marcelstoer]

@jeremylong I noticed inconsistencies in the documentation and maybe the implementation wrt this feature across CLI/Gradle/Maven.

• While CLI & Gradle both support user/pw directly, Maven doesn't. I guess that's intentional.
• The Gradle documentation is the only one that mentions that we could set an API token as password.
• No mention anywhere what to do about the username in that case.

Could you please clarify such we that can create PRs if necessary, thanks.

CLI

--ossIndexUsername 	<username> 	The optional username to connect to Sonatype's OSS Index.
--ossIndexPassword 	<password> 	The optional password to connect to Sonatype's OSS Index.

Source: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

Gradle

ossIndex 	username 	The optional user name to connect to Sonatype's OSS Index.
ossIndex 	password 	The password or API token to connect to Sonatype's OSS Index.

Source: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-aggregate.html

Maven

ossindexServerId 	The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to OSS Index instance; not it is not required to have a registered account and use this configuration.

Source: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

[jeremylong]

In all cases an API token can be used in place of the password. The word "optional" should likely be removed in all cases; if you are providing credentials you must provide both a username and a password or API token.

With regard to Maven - allowing the configuration of the username and password makes them cleartext in your pom. When there is an option to use the settings.xml this is a "safer" choice. That being said, the username/password fields could be added for consistency.

[jeremylong]

Here is the documentation for the API that indicates both a username and password or API token must be used: https://ossindex.sonatype.org/doc/rest

[marcelstoer]

Thank you! I'll see if I can come up with a PR to extend the docs to that effect. "optional" isn't exactly wrong as you can use the OSS index without explicit authentication. The only benefit of having an account is the higher rate limit AFAIK.