fix: Update to support OSS Index Authentication Requirements#7920
fix: Update to support OSS Index Authentication Requirements#7920jeremylong merged 7 commits intodependency-check:mainfrom
Conversation
|
While the documentation is good - we may need to disable the analyzer by default unless an API key is provided... |
…nalyzing: Set credentials and call prepareAnalyzer on tests to mimic the app behavior.
|
@jeremylong thanks for your feedback! |
core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
Outdated
Show resolved
Hide resolved
|
In an email received from Sonatype - it appears the enforcement will begin on 9/22/2025:
|
|
Thank you for the PR!!! Really appreciate it. |
| @Override | ||
| protected void prepareAnalyzer(Engine engine) throws InitializationException { | ||
| synchronized (FETCH_MUTIX) { | ||
| if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY)) || |
There was a problem hiding this comment.
Did you intentionally ignore the ossIndexServerId property here? Or is this method only called after user/pw were already resolved from the settings.xml (via server ID)?
There was a problem hiding this comment.
Only called after this is configured in the mojo.
There was a problem hiding this comment.
and in hindsight - this probably should have been a breaking change as most users will now get an exception...
There was a problem hiding this comment.
Wouldn't they have gotten an exception anyway? Either from ODC or from Sonatype?
disable the analyzer by default unless an API key is provided
I think this would have been the best course of action (accompanied by a warning in the log).
In an email received from Sonatype - it appears the enforcement will begin on 9/22/2025:
I didn't consider this very community friendly; received the email on the 16th...
There was a problem hiding this comment.
If I have enough time I was going to put more work into this tomorrow and possibly one more quick release. Disable by default, enabling by either providing creds or setting enabled=true (and flipping the CLI's disable to enableOssIndex). Just not sure if I will have time.
There was a problem hiding this comment.
To disable the analyzer by default would be great. I have a lot failed builds on our CI server now. I don't want to update the configuration for all of them. Or is it possible to to that by an environment variable?
There was a problem hiding this comment.
Yes, I'd have to agree with @AndreVirtimo here. Disabling the analyzer if the credentials are empty seems like the way to go. If users want to use OSS Index to analyze their dependencies, they setup an account, otherwise the analyzer is skipped.
We'll wait for your release @jeremylong, so we can update sbt-dependecy-check. Please let us know if we can help somehow.
Edit: Feel free to take a look at #7963
Description of Change
Sonatype announced that API token will be required soon.
Update the documentation to instruct users on how to get it.
Related issues
relates to #7919
Have test cases been added to cover the new functionality?
no