Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to use OSS Index APIKey instead of username/password #4533

Closed
pwagland opened this issue May 24, 2022 · 8 comments · Fixed by #7261
Closed

Add ability to use OSS Index APIKey instead of username/password #4533

pwagland opened this issue May 24, 2022 · 8 comments · Fixed by #7261

Comments

@pwagland
Copy link

When using keys in a continuous build system it is always preferable to use a key as opposed to a username/password, as if the key is compromised, it doesn't lead to the username being leaked, as well an any password re-use that might happen.

Describe the solution you'd like
Add a --ossIndexApiKey that allows the usage of the ApiKey instead of username/password.

Describe alternatives you've considered
We can use username/password.

Additional context
General security guidelines prefer to use a key instead of the username/password.

@pwagland
Copy link
Author

I noticed this when trying if an account for OSS Index solved the NPE in #4513.

@adam-siklosi
Copy link

adam-siklosi commented May 25, 2022

You can supply an api token in the password configuration as the documentation describes:
https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-aggregate.html
The password or API token to connect to Sonatype's OSS Index.

@pwagland
Copy link
Author

Hmm. I was mislead by the code then, since it appears to require both the username and the password to be configured: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/data/ossindex/OssindexClientFactory.java#L80-L83

@adam-siklosi
Copy link

Yesterday we were fiddling around and there is something weird. First time it worked if you supply only the api token in the password. Afterwards only worked if you supply the user and the token in the password field. (this has been tested 2 times independently from different machines) It was probably some kind of caching issue which confused me. (I didn't check the code that time)

I think you are right that the username shouldn't be mandatory.

@marcelstoer
Copy link
Contributor

marcelstoer commented Dec 11, 2024

@jeremylong I noticed inconsistencies in the documentation and maybe the implementation wrt this feature across CLI/Gradle/Maven.

  • While CLI & Gradle both support user/pw directly, Maven doesn't. I guess that's intentional.
  • The Gradle documentation is the only one that mentions that we could set an API token as password.
  • No mention anywhere what to do about the username in that case.

Could you please clarify such we that can create PRs if necessary, thanks.

CLI

--ossIndexUsername 	<username> 	The optional username to connect to Sonatype's OSS Index.
--ossIndexPassword 	<password> 	The optional password to connect to Sonatype's OSS Index.

Source: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html

Gradle

ossIndex 	username 	The optional user name to connect to Sonatype's OSS Index.
ossIndex 	password 	The password or API token to connect to Sonatype's OSS Index.

Source: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-aggregate.html

Maven

ossindexServerId 	The id of a server defined in the settings.xml to retrieve the credentials (username and password) to connect to OSS Index instance; not it is not required to have a registered account and use this configuration.

Source: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html

@jeremylong
Copy link
Owner

In all cases an API token can be used in place of the password. The word "optional" should likely be removed in all cases; if you are providing credentials you must provide both a username and a password or API token.

With regard to Maven - allowing the configuration of the username and password makes them cleartext in your pom. When there is an option to use the settings.xml this is a "safer" choice. That being said, the username/password fields could be added for consistency.

@jeremylong
Copy link
Owner

Here is the documentation for the API that indicates both a username and password or API token must be used: https://ossindex.sonatype.org/doc/rest

@marcelstoer
Copy link
Contributor

Thank you! I'll see if I can come up with a PR to extend the docs to that effect. "optional" isn't exactly wrong as you can use the OSS index without explicit authentication. The only benefit of having an account is the higher rate limit AFAIK.

marcelstoer added a commit to marcelstoer/DependencyCheck that referenced this issue Dec 18, 2024
marcelstoer added a commit to marcelstoer/DependencyCheck that referenced this issue Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants