Skip to content

Commit 2f2c0ba

Browse files
chadlwilsonchadlwilson
authored
fix: migrate default OSS Index API URL to Sonatype Guide; supporting optional username (#8404)
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
1 parent ec33e79 commit 2f2c0ba

25 files changed

Lines changed: 546 additions & 401 deletions

File tree

CHANGELOG.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@ See the full listing of [changes](https://github.com/dependency-check/Dependency
117117
## [Version 12.1.5](https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.5) (2025-09-20)
118118

119119
- **fix**: Update to support OSS Index Authentication Requirements ([#7920](https://github.com/dependency-check/DependencyCheck/pull/7920))
120-
- Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer. See https://ossindex.sonatype.org/doc/auth-required.
120+
- Note: OSS Index will require authentication starting 9/22/2025. Users must configure a free account to continue using the OSS Index Analyzer.
121121
- fix: add CVSSv4 to suppressed entries in JSON report ([#7900](https://github.com/dependency-check/DependencyCheck/pull/7900))
122122
- fix: correctly utilize CVSSv4 from ossindex ([#7899](https://github.com/dependency-check/DependencyCheck/pull/7899))
123123
- fix: npe when processing cve with empty configuration ([#7888](https://github.com/dependency-check/DependencyCheck/pull/7888))
@@ -1334,7 +1334,7 @@ See the full listing of [resolved issues](https://github.com/dependency-check/De
13341334
- **Breaking:** The NVD CVE data import now uses the JSON data feeds instead of the XML data feeds.
13351335
- The parameter names have changed if you are mirroring the data feeds locally.
13361336
- **Breaking:** For developers using the core engine the identifiers have been drastically changed;
1337-
ODC now uses [Package URL](https://github.com/package-url/packageurl-java) for software
1337+
ODC now uses [Package URL](https://github.com/package-url/purl-spec) for software
13381338
identifiers and CPE objects from [CPE-Parser](https://github.com/stevespringett/CPE-Parser)
13391339
for vulnerable library identifiers.
13401340
- All of the report formats have been updated to include the additional data from the NVD CVE JSON data feeds.

README.md

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -46,14 +46,17 @@ The NVD API has enforced rate limits. If you are using a single API KEY and
4646
multiple builds occur you could hit the rate limit and receive 403 errors. In
4747
a CI environment one must use a caching strategy.
4848

49-
### OSSIndex API Token Now Required for usage
49+
### Sonatype OSS Index API Token Now Required for usage
5050

51-
In September 2025 Sonatype OSSIndex started enforcing use of API tokens. If you
52-
wish to use Sonatype OSSIndex you must configure Dependency-Check
53-
to use a username and API token/password; see https://ossindex.sonatype.org/doc/api-token.
54-
Without OSSIndex credentials, Dependency Check will **automatically disable the OSSIndex analyzer**.
55-
Please see the documentation for the cli, maven, gradle, or ant integrations on
56-
how to set the OSSIndex credentials.
51+
Since September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
52+
subsequent migration to Sonatype Guide began.
53+
54+
If you wish to use Sonatype OSS Index you must configure Dependency-Check and consider implications for migration to
55+
Sonatype Guide. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
56+
for more information.
57+
58+
Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
59+
for the cli, maven, gradle, or ant integrations on how to set the OSS Index credentials.
5760

5861
### Gradle build Environment
5962

ant/src/site/markdown/config-update.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ The following properties can be configured in the plugin. However, they are less
4444
| nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp; |
4545
| nvdUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
4646
| nvdPassword | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
47-
| nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 |
47+
| nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. | 4 |
4848
| databaseDriverName | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path. | &nbsp; |
4949
| databaseDriverPath | The path to the database driver JAR file; only needs to be set if the driver is not in the class path. | &nbsp; |
5050
| connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). | &nbsp; |

ant/src/site/markdown/configuration.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -84,11 +84,11 @@ be needed.
8484
| dartAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Dart Analyzer will be used. | true |
8585
| knownExploitedEnabled | Sets whether the Known Exploited Vulnerability update and analyzer are enabled. | true |
8686
| knownExploitedUrl | Sets URL to the CISA Known Exploited Vulnerabilities JSON data feed. | https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |
87-
| ossIndexAnalyzerEnabled | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection. *Deprecated alias: `ossindexAnalyzerEnabled`* | true |
87+
| ossIndexAnalyzerEnabled | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection, and authentication is mandatory. *Deprecated alias: `ossindexAnalyzerEnabled`* | true |
8888
| ossIndexAnalyzerUseCache | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours. *Deprecated alias: `ossindexAnalyzerUseCache`* | true |
89-
| ossIndexAnalyzerUrl | Alternative URL for the OSS Index. If not set the public Sonatype OSS Index will be used. *Deprecated alias: `ossindexAnalyzerUrl`* | https://ossindex.sonatype.org |
90-
| ossIndexAnalyzerUsername | Sets the username for OSS Index - note an account with OSS Index is not required. *Deprecated alias: `ossindexAnalyzerUsername`* | &nbsp; |
91-
| ossIndexAnalyzerPassword | Sets the password for OSS Index. *Deprecated alias: `ossindexAnalyzerPassword`* | &nbsp; |
89+
| ossIndexAnalyzerUrl | Alternative base URL for the OSS Index API. If not set the public Sonatype OSS Index API on Sonatype Guide will be used. *Deprecated alias: `ossindexAnalyzerUrl`* | https://api.guide.sonatype.com |
90+
| ossIndexAnalyzerUsername | *(deprecated)* Sets the OSS Index API username for use with legacy OSS Index API tokens. Username is not required after migration to using Sonatype Guide personal access token as password. *Deprecated alias: `ossindexAnalyzerUsername`* | &nbsp; |
91+
| ossIndexAnalyzerPassword | Sets the Sonatype Guide personal access token or (deprecated) legacy OSS Index API token to authenticate with. *Deprecated alias: `ossindexAnalyzerPassword`* | &nbsp; |
9292
| ossIndexAnalyzerWarnOnlyOnRemoteErrors | Whether we should only warn about Sonatype OSS Index remote errors instead of failing completely. | &nbsp; |
9393
| nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. This analyzer is an alternative to the Central or Artifactory Analyzers, allowing retrieval from Sonatype Nexus installations. | true |
9494
| nexusUrl | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp; |
@@ -124,7 +124,7 @@ be needed.
124124
| pathToYarn | The path to `yarn`. | &nbsp; |
125125
| pathToPnpm | The path to `pnpm`. | &nbsp; |
126126
| retireJsAnalyzerEnabled | Sets whether the RetireJS Analyzer update and analyzer are enabled. | true |
127-
| retireJsFilterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. *Deprecated alias: `retirejsFilterNonVulnerable`* | false |
127+
| retireJsFilterNonVulnerable | Configures the RetireJS Analyzer to remove non-vulnerable JS dependencies from the report. *Deprecated alias: `retirejsFilterNonVulnerable`* | false |
128128
| retireJsFilter | A nested configuration that can be specified multple times; The regex defined is used to filter JS files based on content. *Deprecated alias: `retirejsFilter`* | &nbsp; |
129129
| nuspecAnalyzerEnabled | Sets whether the .NET Nuget Nuspec Analyzer will be used. | true |
130130
| nugetconfAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) .NET Nuget packages.config Analyzer will be used. `enableExperimental` must be set to true. | true |
@@ -159,7 +159,7 @@ The following properties can be configured in the plugin. However, they are less
159159
| nvdDatafeedUrl | The URL for the NVD API Data feed that can be generated using https://github.com/jeremylong/open-vulnerability-cli/blob/main/README.md#mirroring-the-nvd-cve-data - example value `https://internal.server/cache/nvdcve-{0}.json.gz` | &nbsp; |
160160
| nvdUser | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
161161
| nvdPassword | Credentials used for basic authentication for the NVD API Data feed. | &nbsp; |
162-
| nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | 4 |
162+
| nvdValidForHours | The number of hours to wait before checking for new updates from the NVD. | 4 |
163163
| databaseDriverName | The database driver full classname; note, only needs to be set if the driver is not JDBC4 compliant or the JAR is outside of the class path. | &nbsp; |
164164
| databaseDriverPath | The path to the database driver JAR file; only needs to be set if the driver is not in the class path. | &nbsp; |
165165
| connectionString | The connection string used to connect to the database. See using a [database server](../data/database.html). | &nbsp; |

0 commit comments

Comments
 (0)