fix: Disable OSS Index if its credentials are missing

Gustavo De Micheli · Gustavo De Micheli · commit 3d70d796bd7a · 2025-09-23T21:37:08.000+02:00
diff --git a/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java b/core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
@@ -134,7 +134,8 @@ protected void prepareAnalyzer(Engine engine) throws InitializationException {
       synchronized (FETCH_MUTIX) {
         if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY)) ||
             StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_PASSWORD, StringUtils.EMPTY))) {
-          throw new InitializationException("Error initializing OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");
+          LOG.info("Disabling OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");
+          setEnabled(false);
         }
       }
     }
diff --git a/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java b/core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@@ -28,10 +28,7 @@
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 
-import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.*;
 
 class OssIndexAnalyzerTest extends BaseTest {
 
@@ -252,14 +249,14 @@ void should_analyzeDependency_fail_when_socket_error_from_sonatype() throws Exce
     }
 
     @Test
-    void should_prepareAnalyzer_fail_when_credentials_not_set() throws Exception {
+    void should_prepareAnalyzer_disable_when_credentials_not_set() throws Exception {
         OssIndexAnalyzer analyzer = new OssIndexAnalyzer();
         Settings settings = getSettings();
         Engine engine = new Engine(settings);
         analyzer.initialize(settings);
         try {
             analyzer.prepareAnalyzer(engine);
-            assertThrows(InitializationException.class, () -> analyzer.prepareAnalyzer(engine));
+            assertFalse(analyzer.isEnabled());
         } catch (InitializationException e) {
           analyzer.close();
           engine.close();
diff --git a/src/site/markdown/analyzers/oss-index-analyzer.md b/src/site/markdown/analyzers/oss-index-analyzer.md
@@ -13,4 +13,6 @@ Sonatype [announced](https://ossindex.sonatype.org/doc/auth-required) that OSS I
 
 You can get an API Token following these steps:
 1. [Sign In](https://ossindex.sonatype.org/user/signin) or [Sign Up](https://ossindex.sonatype.org/user/register) for free.
-2. Get the API Token from user Settings.
+2. Get the API Token from user Settings.
+
+If no credentials are provided, this analyzer will be disabled.

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,8 @@ protected void prepareAnalyzer(Engine engine) throws InitializationException {`
`134`	`134`	`synchronized (FETCH_MUTIX) {`
`135`	`135`	`if (StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_USER, StringUtils.EMPTY)) \|\|`
`136`	`136`	`StringUtils.isEmpty(getSettings().getString(KEYS.ANALYZER_OSSINDEX_PASSWORD, StringUtils.EMPTY))) {`
`137`		`- throw new InitializationException("Error initializing OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");`
	`137`	`+ LOG.info("Disabling OSS Index analyzer due to missing user/password credentials. Authentication is now required: https://ossindex.sonatype.org/doc/auth-required");`
	`138`	`+ setEnabled(false);`
`138`	`139`	`}`
`139`	`140`	`}`
`140`	`141`	`}`