-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to use OSS Index APIKey instead of username/password #4533
Comments
I noticed this when trying if an account for OSS Index solved the NPE in #4513. |
You can supply an api token in the password configuration as the documentation describes: |
Hmm. I was mislead by the code then, since it appears to require both the username and the password to be configured: https://github.com/jeremylong/DependencyCheck/blob/main/core/src/main/java/org/owasp/dependencycheck/data/ossindex/OssindexClientFactory.java#L80-L83 |
Yesterday we were fiddling around and there is something weird. First time it worked if you supply only the api token in the password. Afterwards only worked if you supply the user and the token in the password field. (this has been tested 2 times independently from different machines) It was probably some kind of caching issue which confused me. (I didn't check the code that time) I think you are right that the username shouldn't be mandatory. |
@jeremylong I noticed inconsistencies in the documentation and maybe the implementation wrt this feature across CLI/Gradle/Maven.
Could you please clarify such we that can create PRs if necessary, thanks. CLI
Source: https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html Gradle
Source: https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration-aggregate.html Maven
Source: https://jeremylong.github.io/DependencyCheck/dependency-check-maven/configuration.html |
In all cases an API token can be used in place of the password. The word "optional" should likely be removed in all cases; if you are providing credentials you must provide both a username and a password or API token. With regard to Maven - allowing the configuration of the username and password makes them cleartext in your pom. When there is an option to use the settings.xml this is a "safer" choice. That being said, the username/password fields could be added for consistency. |
Here is the documentation for the API that indicates both a username and password or API token must be used: https://ossindex.sonatype.org/doc/rest |
Thank you! I'll see if I can come up with a PR to extend the docs to that effect. "optional" isn't exactly wrong as you can use the OSS index without explicit authentication. The only benefit of having an account is the higher rate limit AFAIK. |
When using keys in a continuous build system it is always preferable to use a key as opposed to a username/password, as if the key is compromised, it doesn't lead to the username being leaked, as well an any password re-use that might happen.
Describe the solution you'd like
Add a
--ossIndexApiKey
that allows the usage of the ApiKey instead of username/password.Describe alternatives you've considered
We can use username/password.
Additional context
General security guidelines prefer to use a key instead of the username/password.
The text was updated successfully, but these errors were encountered: