Migrate from Sonatype OSS Index to Sonatype Guide API

[danielcompton]

Is your feature request related to a problem? Please describe.

I got an email that Sonatype is migrating OSS Index to Sonatype Guide. The OSS Index API will move to a compatibility API within Guide, with migration instructions going out March 31, 2026.

Dependency-Check uses the OSS Index analyzer as a vulnerability data source, so this will need updating at some point.

Describe the solution you'd like

Unsure

Describe alternatives you've considered

• Do nothing and hope the compatibility API works without changes (unclear if endpoints or auth will change)
• Drop OSS Index analyzer and rely solely on NVD

Additional context

From Sonatype's announcement:

The OSS Index API will continue to be available via compatibility API in Sonatype Guide. Users can expect continued compatibility with existing integrations such as Dependency-Track and Dependency-Check.

Announcement: https://www.sonatype.com/products/sonatype-guide/oss-index-users

[nhumblot]

Relates to #8335

[nhumblot]

I did a bit of testing. It seems for now Dependency-Check cannot fetch data from the new platform.

The issue is at the authentication layer, the oss-index-client version we have seems to not support the new authentication scheme. I will wait for the migration instructions which are planned to be shared for the end of the month.

[chadlwilson]

If that's the case, it's not backward compatible. 😅

But perhaps they will release a new client library version. The client is an official one from Sonatype, so they have the ability to do that.

[commadelimited]

I have an open ticket within my team to resolve the Disabling OSS Index analyzer due to missing user/password credentials. error. I've created an account with Sonatype Guide, applied the email/apikey in ~/.m2/settings.xml, and added the ossIndexServerId property to my dependency-check-maven configuration block. However when I run mvn dependency-check:aggregate I get a number of the following errors:

[ERROR] Invalid credentials for the OSS Index, disabling the analyzer
[WARNING] An error occurred while analyzing '<PATH-REDACTED>' (Sonatype OSS Index Analyzer): Invalid credentials provided for OSS Index

as well as the final error block

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:12.1.9:aggregate (default-cli) on project <PROJECT>: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis:
[ERROR] 	AnalysisException: Invalid credentials provided for OSS Index
[ERROR] 		caused by DownloadFailedException: https://ossindex.sonatype.org/api/v3/component-report - Server status: 401 - Server reason: Unauthorized

Based on the docs, it seems like I've configured this properly, but there are external hindrances preventing this from working properly. Am I missing something?

[chadlwilson]

OSS Index is OSS Index, Guide is Guide. They use completely different identity frontends, although OSS Index accounts can be used to log in to Guide as of today. Not sure if the reverse is true (I doubt it).

Thus there's no reason to believe that Guide API keys will allow authentication to the old OSS Index URLs ODC uses in <= 12.1.0. If the API token didn't come from https://ossindex.sonatype.org/user/settings right now I highly doubt it will work.

Even the docs for the new compatibility API at https://guide.sonatype.com/api imply they require use of an OSS Index API key implying Guide API keys won't work for the compatibility API nor the legacy OSS Index URLs which ODC currently uses.

OSS Index Compatibility

Legacy OSSI API providing backward compatibility. Allows existing OSSI users to continue using their OSSI API tokens without creating a new Sonatype Guide account. Authentication requires HTTP Basic Auth with OSSI username and API token.

Currently OSS Index doesn't allow new key generation, leaving new users somehow stuck (edit: without changing base URLs)

The messaging is inconsistent and I haven't yet seen the migration instructions for existing tools, but perhaps I missed something....

[chadlwilson]

Ahh okay, finally found https://help.sonatype.com/en/oss-index-migration-to-sonatype-guide.html which implies we need to change our base URL to the compatibility API.

On an existing ODC version you'll need to update the OSS Index URL per #8335 (reply in thread) but I don't think any of us maintainerish types have tried yet.

They have documented steps at https://help.sonatype.com/en/oss-index-migration-steps.html#using-oss-index-with-dependency-check which although don't think discussed with us looks kinda correct to me (I'm not convinced they have the capitalization correct for the Maven setting and don't think any of us have tried it.)

Repeating here for clarity (but omitting their suggestion to disable caching):

CLI / Docker

dependency-check \
    --project "My Project" \
    --scan "/path/to/source" \
    --ossIndexUsername "<your-username>" \
    --ossIndexPassword "<your-token>" \
    --ossIndexUrl "https://api.guide.sonatype.com"

Maven
(capitalization changed from Sonatype's example to match ODC docs and this)

<configuration>
    <ossindexAnalyzerUrl>https://api.guide.sonatype.com</ossindexAnalyzerUrl>
</configuration>

Gradle

dependencyCheck {
    analyzers.ossIndex.enabled = true
    analyzers.ossIndex.username = System.getenv('OSS_INDEX_USERNAME')
    analyzers.ossIndex.password = System.getenv('OSS_INDEX_PASSWORD')
    analyzers.ossIndex.url = "https://api.guide.sonatype.com"
}

@commadelimited see if a Guide-generated API key works when you change that URL. I'm still not clear if the compatibility API will work with both Guide API keys and OSS Index API keys (at least for the next month until full cutover April 28th 2026) as it's not explicitly documented that I can see.

(edit: changing the base URL seems to work fine for me with the Gradle plugin in a quick test with a legacy OSS Index API key, so if authentication still fails with a guide url, then we know the issue is Guide API Keys on the compatibility API)

[commadelimited]

That's a negative @chadlwilson. Given that we're just now working on this, and it's been in place since the fall, I think we're fine to wait another few weeks.

I'll come back to this mid April and check again.

[chadlwilson]

Did you double check that your error message reflects the new base url, and thus that the configuration change applied correctly?

[commadelimited]

I didn't before no, but I just did. I should have done that first, sorry about that. Unfortunately it's still returning an error response.

With only the <ossIndexServerId> property in the configuration block.

[ERROR] AnalysisException: Invalid credentials provided for OSS Index
[ERROR] caused by DownloadFailedException: https://ossindex.sonatype.org/api/v3/component-report - Server status: 401 - Server reason: Unauthorized
[ERROR] caused by HttpResponseException: status code: 401, reason phrase: Unauthorized

With both the <ossIndexServerId> and <ossindexAnalyzerUrl> properties:

[ERROR] AnalysisException: Invalid credentials provided for OSS Index
[ERROR] caused by DownloadFailedException: https://api.guide.sonatype.com/api/v3/component-report - Server status: 401 - Server reason: Unauthorized
[ERROR] caused by HttpResponseException: status code: 401, reason phrase: Unauthorized

[chadlwilson]

Thanks @commadelimited - I confirmed this locally on my account, the Guide API Key doesn't work for the compatibility APIs.

2026-04-01T16:05:49.129+0800 [WARN] [org.owasp.dependencycheck.AnalysisTask] An error occurred while analyzing '/Users/chad/.gradle/caches/modules-2/files-2.1/jakarta.xml.bind/jakarta.xml.bind-api/4.0.5/161811f36cad3c65991502e80317f2f6703361df/jakarta.xml.bind-api-4.0.5.jar' (Sonatype OSS Index Analyzer): Invalid credentials provided for OSS Index
2026-04-01T16:05:49.129+0800 [DEBUG] [org.owasp.dependencycheck.AnalysisTask]
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Invalid credentials provided for OSS Index
	at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:171)
	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
	at java.base@25.0.2/java.util.concurrent.FutureTask.run(FutureTask.java:328)
	at java.base@25.0.2/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1090)
	at java.base@25.0.2/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:614)
	at java.base@25.0.2/java.lang.Thread.run(Thread.java:1474)
Caused by: org.owasp.dependencycheck.utils.DownloadFailedException: https://api.guide.sonatype.com/api/v3/component-report - Server status: 401 - Server reason: Unauthorized
	at org.owasp.dependencycheck.utils.Downloader.wrapAndThrowHttpResponseException(Downloader.java:438)
	at org.owasp.dependencycheck.utils.Downloader.postBasedFetchContent(Downloader.java:549)
	at org.owasp.dependencycheck.data.ossindex.ODCConnectionTransport.post(ODCConnectionTransport.java:82)
	at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports(OssindexClientImpl.java:204)
	at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports(OssindexClientImpl.java:170)
	at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports(OssIndexAnalyzer.java:251)
	at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:152)
	... 7 more
Caused by: org.apache.hc.client5.http.HttpResponseException: status code: 401, reason phrase: Unauthorized
	at org.apache.hc.client5.http.impl.classic.AbstractHttpClientResponseHandler.handleResponse(AbstractHttpClientResponseHandler.java:69)
	at org.apache.hc.client5.http.impl.classic.BasicHttpClientResponseHandler.handleResponse(BasicHttpClientResponseHandler.java:72)
	at org.apache.hc.client5.http.impl.classic.BasicHttpClientResponseHandler.handleResponse(BasicHttpClientResponseHandler.java:55)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:247)
	at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)
	at org.owasp.dependencycheck.utils.Downloader.postBasedFetchContent(Downloader.java:544)
	... 12 more

The new Guide tokens are Bearer tokens, whereas the old OSS Index ones are just Basic auth password alternatives, so it probably makes sense that it doesn't work. I changed ODC code to force use of Bearer auth to see if it'd work, but the compatiiblity APIs seem to force use of Basic auth.

2026-04-01T16:15:54.173+0800 [DEBUG] [org.apache.hc.client5.http.headers] http-outgoing-3 >> Accept: application/vnd.ossindex.component-report.v1+json
2026-04-01T16:15:54.173+0800 [DEBUG] [org.apache.hc.client5.http.headers] http-outgoing-3 >> Authorization: Bearer GUIDE_TOKEN
2026-04-01T16:15:54.174+0800 [DEBUG] [org.apache.hc.client5.http.headers] http-outgoing-3 >> Content-Type: application/vnd.ossindex.component-report-request.v1+json; charset=UTF-8
2026-04-01T16:15:54.402+0800 [DEBUG] [org.apache.hc.client5.http.headers] http-outgoing-3 << WWW-Authenticate: Basic realm="OSS Index API", error="invalid_token", error_description="Authorization header must start with 'Basic '"
2026-04-01T16:15:54.407+0800 [DEBUG] [org.apache.hc.client5.http.impl.DefaultAuthenticationStrategy] ex-0000000037 Authentication schemes in the order of preference: [Bearer, SCRAM-SHA-256, Digest, Basic]
2026-04-01T16:15:54.407+0800 [DEBUG] [org.apache.hc.client5.http.impl.DefaultAuthenticationStrategy] ex-0000000037 Challenge for Bearer authentication scheme not available
2026-04-01T16:15:54.407+0800 [DEBUG] [org.apache.hc.client5.http.impl.auth.BasicScheme] ex-0000000037 No credentials found for auth scope [BASIC 'OSS Index API' https://api.guide.sonatype.com:443]

Perhaps Sonatype intend to change that at some point in the next month, but for now it seems it's impossible to use OSS Index via API for new users who don't already have an OSS Index API token generated.