Stowage/dependency-track
2
0
Fork 0
mirror of https://github.com/DependencyTrack/dependency-track.git synced 2025-10-19 16:03:19 +00:00
Code Issues Projects Releases Packages Wiki Activity

Update OSS Index documentation with instructions to authenticate

Browse source 
Signed-off-by: Federico Ramayo <framayo@morean.co>
This commit is contained in:
Federico Ramayo 2025-09-08 15:53:36 -03:00
parent 11492abe44
commit ea87d049b6
2 changed files with 21 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docs/_docs/FAQ.md
View file

@ -19,10 +19,12 @@ This topic is heavily explained in the [Dependency Check Comparison](./../odt-od
#### I expect to see vulnerable components but I don't #### I expect to see vulnerable components but I don't
Most common reason: You have yet to enable the [Sonatype OSS Index Analyzer](./../datasources/ossindex/). It is not Most common reason: You have yet to enable the [Sonatype OSS Index Analyzer]. It is not
enabled by default but is necessary to scan dependencies represented by enabled by default but is necessary to scan dependencies represented by
[Package URLs](./../terminology/#package-url-purl). [Package URLs](./../terminology/#package-url-purl).
Authentication through API Token will be required. Follow [Sonatype OSS Index Analyzer] `Authentication` instructions.
#### I have just enabled OSS Index Analyzer but still don't see results #### I have just enabled OSS Index Analyzer but still don't see results
The analyzers run asynchronously. After you enable an analyzer it is not immediately run. The analyzers run asynchronously. After you enable an analyzer it is not immediately run.
@ -122,4 +124,5 @@ Policy condition values are treated as regular expressions.
3. Policy condition values support wildcards, so an `*` means that any text is allowed, including missing text. 3. Policy condition values support wildcards, so an `*` means that any text is allowed, including missing text.
For example, `^vendor/*$` would match `vendor/lib-1`, `vendor/app`, or even only `vendor/`. For example, `^vendor/*$` would match `vendor/lib-1`, `vendor/app`, or even only `vendor/`.
[defect report]: https://github.com/DependencyTrack/dependency-track/issues/new?assignees=&labels=defect%2Cin+triage&template=defect-report.yml [defect report]: https://github.com/DependencyTrack/dependency-track/issues/new?assignees=&labels=defect%2Cin+triage&template=defect-report.yml
[Sonatype OSS Index Analyzer]: (./../datasources/ossindex/)

26
docs/_docs/datasources/ossindex.md
View file

@ -13,27 +13,31 @@ not exist.
Dependency-Track integrates with OSS Index using its [public API]. Dependency-Track does not mirror OSS Index entirely, Dependency-Track integrates with OSS Index using its [public API]. Dependency-Track does not mirror OSS Index entirely,
but it does consume vulnerabilities on a 'as-identified' basis. but it does consume vulnerabilities on a 'as-identified' basis.
The OSS Index integration is enabled by default and does not require an account for its basic functionality. The OSS Index integration is enabled by default.
#### Important Update (Sep 2025)
> Unauthenticated usage of OSS Index will be no longer supported.
An API Token will be required.
### Authentication ### Authentication
Unauthenticated usage of OSS Index is subject to stricter rate limiting and does not grant access to 1. [Sign In] or [Sign Up] for free.
Sonatype's proprietary vulnerability intelligence data. When rate limiting becomes an issue, or access 2. Get the API Token from your [Settings](https://ossindex.sonatype.org/user/settings).
to the proprietary data is desired, [register](https://ossindex.sonatype.org/user/register) a free account 3. Configure the API Token in Dependency-Track's administration panel.
and configure the API credentials in Dependency-Track's administration panel.
![OSS Index Configuration]({{ site.baseurl }}/images/screenshots/ossindex-configuration.png) ![OSS Index Configuration](../../images/screenshots/ossindex-configuration.png)
Vulnerabilities from the proprietary dataset have their IDs prefixed with `sonatpye-`, and their source labeled as `OSSINDEX`. Vulnerabilities from the proprietary dataset have their IDs prefixed with `sonatype-`, and their source labeled as `OSSINDEX`.
![OSS Index Findings]({{ site.baseurl }}/images/screenshots/ossindex-findings.png) ![OSS Index Findings](../../images/screenshots/ossindex-findings.png)
### May 2022 Update ### May 2022 Update
Previously, authentication was only required for an extended rate limiting budget. Up to this point, vulnerabilities in Previously, authentication was only required for an extended rate limiting budget. Up to this point, vulnerabilities in
the OSS Index dataset that did not map to CVEs were identified by random UUIDs (e.g. `ae0cc4d7-fafe-4970-87e3-f8956039645a`). the OSS Index dataset that did not map to CVEs were identified by random UUIDs (e.g. `ae0cc4d7-fafe-4970-87e3-f8956039645a`).
In May 2022, Sonatype [announced](https://ossindex.sonatype.org/updates-notice) major changes to OSS Index. In May 2022, Sonatype announced major changes to OSS Index.
Beside improvements in data quality and update frequencies, vulnerability IDs changed from random UUIDs to Beside improvements in data quality and update frequencies, vulnerability IDs changed from random UUIDs to
a more CVE-like structure (e.g. `sonatype-2022-4402`). a more CVE-like structure (e.g. `sonatype-2022-4402`).
@ -41,4 +45,6 @@ Dependency-Track users who had OSS Index enabled before May 2022 may still have
naming scheme in their portfolio. naming scheme in their portfolio.
[Sonatype OSS Index]: https://ossindex.sonatype.org/ [Sonatype OSS Index]: https://ossindex.sonatype.org/
[public API]: https://ossindex.sonatype.org/doc/rest [public API]: https://ossindex.sonatype.org/doc/rest
[Sign In]: https://ossindex.sonatype.org/user/signin
[Sign Up]: https://ossindex.sonatype.org/user/register