diff --git a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 896c10b8f37..ed643eb8c10 100644 --- a/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -765,13 +765,34 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma private String ossindexAnalyzerUrl; /** - * The id of a server defined in the settings.xml that configures the - * credentials (username and password) for a OSS Index service. + * The id of a server defined in the settings.xml to authenticate Sonatype + * OSS Index requests and profit from higher rate limits. Provide the OSS + * account email address as username and password or API token as password. */ @SuppressWarnings("CanBeFinal") @Parameter(property = "ossIndexServerId") private String ossIndexServerId; + /** + * OSS account email address as an alternative to the indirection through + * the ossIndexServerId (see above). Both ossIndexUsername and + * ossIndexPassword must be set to use this approach instead of the server + * ID. + */ + @SuppressWarnings("CanBeFinal") + @Parameter(property = "ossIndexUsername") + private String ossIndexUsername; + + /** + * OSS password or API token as an alternative to the indirection through + * the ossIndexServerId (see above). Both ossIndexUsername and + * ossIndexPassword must be set to use this approach instead of the server + * ID. + */ + @SuppressWarnings("CanBeFinal") + @Parameter(property = "ossIndexPassword") + private String ossIndexPassword; + /** * Whether we should only warn about Sonatype OSS Index remote errors * instead of failing the goal completely. @@ -2427,7 +2448,12 @@ protected void populateSettings() throws MojoFailureException, MojoExecutionExce settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled); settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl); - configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD); + if (StringUtils.isEmpty(ossIndexUsername) || StringUtils.isEmpty(ossIndexPassword)) { + configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD); + } else { + settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, ossIndexUsername); + settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD, ossIndexPassword); + } settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache); settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexWarnOnlyOnRemoteErrors); if (retirejs != null) { @@ -2517,8 +2543,8 @@ protected void populateSettings() throws MojoFailureException, MojoExecutionExce *

* When a serverId is given, then its values are used instead of the less secure direct values.
* A serverId with username/password will fill the `userKey` and `passwordKey` settings for Basic Auth. A serverId with only password - * filled will fill the `tokenKey` fro Bearer Auth.
- * In absence of the serverId any non-null value will be transferred to the settings. + * filled will fill the `tokenKey` from Bearer Auth.
+ * In absence of the serverId, any non-null value will be transferred to the settings. * * @param serverId The serverId specified for the connection or {@code null} * @param usernameValue The username specified for the connection or {@code null} diff --git a/maven/src/site/markdown/configuration.md b/maven/src/site/markdown/configuration.md index ff6f9abb224..e7907a2f0ef 100644 --- a/maven/src/site/markdown/configuration.md +++ b/maven/src/site/markdown/configuration.md @@ -64,6 +64,8 @@ knownExploitedUrl | Sets URL to the CISA Known Exploited Vulne ossindexAnalyzerEnabled | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection. | true ossindexAnalyzerUseCache | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours. | true ossIndexServerId | The id of [a server](https://maven.apache.org/settings.html#Servers) defined in the `settings.xml` to authenticate Sonatype OSS Index requests and profit from higher rate limits. Provide the OSS account email address as `username` and password or API token as `password`. |   +ossIndexUsername | OSS account email address as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. |   +ossIndexPassword | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. |   ossindexAnalyzerUrl | The OSS Index server URL | https://ossindex.sonatype.org ossIndexWarnOnlyOnRemoteErrors | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution. | false nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true