Is your feature request related to a problem? Please describe.
Related to #4533.
The CLI and Gradle clients offer to set the OSS Index user and password. For the Maven client only the indirection through server ID and settings.xml is currently supported.
Describe the solution you'd like
For Maven, allow to either set user/pw or server ID.
It is obvious that using the server ID is usually a safer setup. However, this assumes you have access to or control over the settings.xml. This is not always the case. Example: corporate CI infrastructure with Maven settings controlled by IT.
You can still include the OSS Index for ODC safely in your pipeline if you do something like mvn -U org.owasp:dependency-check-maven:$ODC_VERSION:aggregate -DossIndexUser=$OSS_INDEX_USER ... . The actual value for $OSS_INDEX_USER would be stored as CI env variable with your project (e.g. in GitLab).
Describe alternatives you've considered
If the settings.xml isn't read-only, the pipeline might try to alter it prior to running ODC.
Additional context
@jeremylong voiced potential "endorsement" for this feature here #4533 (comment)
Is your feature request related to a problem? Please describe.
Related to #4533.
The CLI and Gradle clients offer to set the OSS Index user and password. For the Maven client only the indirection through server ID and
settings.xmlis currently supported.Describe the solution you'd like
For Maven, allow to either set user/pw or server ID.
It is obvious that using the server ID is usually a safer setup. However, this assumes you have access to or control over the
settings.xml. This is not always the case. Example: corporate CI infrastructure with Maven settings controlled by IT.You can still include the OSS Index for ODC safely in your pipeline if you do something like
mvn -U org.owasp:dependency-check-maven:$ODC_VERSION:aggregate -DossIndexUser=$OSS_INDEX_USER .... The actual value for$OSS_INDEX_USERwould be stored as CI env variable with your project (e.g. in GitLab).Describe alternatives you've considered
If the
settings.xmlisn't read-only, the pipeline might try to alter it prior to running ODC.Additional context
@jeremylong voiced potential "endorsement" for this feature here #4533 (comment)