You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,17 +46,19 @@ The NVD API has enforced rate limits. If you are using a single API KEY and
46
46
multiple builds occur you could hit the rate limit and receive 403 errors. In
47
47
a CI environment one must use a caching strategy.
48
48
49
-
### Sonatype OSS Index API Token Now Required for usage
49
+
### Sonatype OSS Index mandatory authentication and migration to Sonatype Guide
50
50
51
-
Since September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
52
-
subsequent migration to Sonatype Guide began.
51
+
In September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
52
+
subsequent migration to Sonatype Guide began, kicking off a transition to use of Sonatype Guide API Tokens that are
53
+
planned to replace the legacy OSS Index API keys/tokens before the end of 2026.
53
54
54
-
If you wish to use Sonatype OSS Index you must configure Dependency-Check and consider implications for migration to
55
-
Sonatype Guide. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
56
-
for more information.
55
+
Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
56
+
for the CLI, Maven, Gradle, or Ant integrations on how to set the analyzer credentials for use of a Sonatype Guide token
57
+
or legacy OSS Index API key.
57
58
58
-
Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
59
-
for the cli, maven, gradle, or ant integrations on how to set the OSS Index credentials.
59
+
If you wish to use Sonatype OSS Index (via Guide) you must configure Dependency-Check and consider implications for the
60
+
migration to Sonatype Guide; whose commercial/usage model has changed. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
-[Using Sonatype Guide personal access tokens for OSS Index API](https://help.sonatype.com/en/using-guide-personal-access-tokens-with-oss-index-api-integrations.html)
37
+
38
+
### Managing Sonatype Guide credit usage
39
+
40
+
In contrast to the earlier completely free OSS Index solution, Sonatype Guide gives a limited number of credits on free
41
+
accounts; and effectively charges per component report. You can review your credit usage in your Sonatype Guide account.
42
+
43
+
To reduce your credit usage:
44
+
- consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load
45
+
- consider retaining OSS Index cache entries longer by extending the analyzer's `validForHours` configuration setting beyond the 24-hour default
46
+
- extending cache time, will reduce credit usage at the cost of slower notification about potential new vulnerabilities
47
+
- consider reducing frequency of running OSS Index analysis on builds
48
+
- for example, you may want to disable OSS Index analysis on local dev or per-commit/merge CI builds, and enable only for a daily or weekly scheduled build
0 commit comments