I had checked before and thought that dependency-check had the ability to override the url. Maybe I missed that, and if so, we can submit a pull request.

However the plan for the interim is just to preserve the existing url until such time as everyone is sufficiently moved to the new url. Some tools like Dependency Track 4, didn't have a way to override it either (being fixed in 4.14)

Hi @mr-andres-carvajal 👋

And for anyone who may read this. After a quick search it seems the CLI permits to change the url with the --ossIndexUrl parameter but other application do not allow such a configuration.

Also all applications must switch to the new default. This is going to be worked on in #8336

To plan for the migration, here is a status of identified actions already done and what I propose to perform:

• MUST - documenting current parameters - done in docs: ensure OSS Index URL override is consistently documented #8338 (kudos to @chadlwilson)
• MUST - perform tests to confirm we can migrate with the current version and document the switch taking into account the coming Sonatype documentation - (@nhumblot as per Migrate from Sonatype OSS Index to Sonatype Guide API #8336)
• MUST - change OssIndex default URL - target 13.0.0? the tests will tell but it looks API keys must be different so it would be a breaking change for the users - (@nhumblot to create the issue once the tests are performed)
• SHOULD - fix cases in the arguments - target 12.2.1 (@jeremylong as per fix: improve configuration consistency (casing) #8355)
• SHOULD - migrate from the compatibility endpoints to the new ones - target >= 13.0.0 (technically can be in 13.0.0 but it would probably preferable to have it later to slice the size of the increments)
• COULD - drop arguments with wrong cases fixed in fix: improve configuration consistency (casing) #8355 - target 13.0.0?

Just to confirm that at THIS PRECISE MOMENT (while Sonatype Guide folks are moving their systems from the legacy platform to new platform, to be finalised by April 28, 2026 as they say), the API key generated with the OLD platform (OSS Index API) combined with the NEW location for Sonatype Guide API seems to work well with the plugin v12.2.0:

[INFO] --- dependency-check:12.2.0:check (default-cli) @ my-common ---
[INFO] Checking for updates
[INFO] NVD API has 1,277 records in this update
[INFO] Downloaded 1,277/1,277 (100%)
[INFO] Completed processing batch 1/1 (100%) in 810ms
[INFO] Skipping Known Exploited Vulnerabilities update check since last check was within 24 hours.
[INFO] Begin database defrag
[INFO] End database defrag (7226 ms)
[INFO] Check for updates complete (19453 ms)
[INFO]
Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

   About ODC: https://dependency-check.github.io/DependencyCheck/general/internals.html
   False Positives: https://dependency-check.github.io/DependencyCheck/general/suppression.html

[INFO] Analysis Started
[INFO] Finished Archive Analyzer (0 seconds)
[INFO] Finished File Name Analyzer (0 seconds)

HYPOTHESIS: Breaking change on Apr 29 2026: ossindex.sonatype.org now returns 402 without sending 401 challenge first, breaking Maven plugin authentication

Following the OSS Index → Sonatype Guide cutover, ossindex.sonatype.org changed its behavior on April 29, 2026 (confirmed working at 15:24 CET, broken shortly after). The endpoint now returns 402 Payment Required directly for unauthenticated requests, instead of the previous 401 Unauthorized + WWW-Authenticate challenge. This breaks the Maven plugin completely, even when valid credentials are supplied via -DossIndexUsername / -DossIndexPassword, because ODCConnectionTransport uses Apache HttpClient's reactive authentication (challenge-response) rather than preemptive Basic Auth.

Environment

• dependency-check-maven: 12.2.1
• Java: 21.0.10 Ubuntu
• CI: Jenkins, credentials passed via -DossIndexUsername / -DossIndexPassword command-line parameters
• Endpoint: https://ossindex.sonatype.org/api/v3/component-report (default, no -DossIndexAnalyzerUrl override)
• Token type: legacy OSS Index API token

Timeline

• Apr 29, 2026 15:24 CET: Build succeeds, OSS Index returns 200
• Apr 29, 2026 16:22 CET: Build fails with 402 on every request

Same plugin version, same credentials, same Jenkins agent, same command — only the server-side behavior changed.

Root cause analysis

The debug log confirms credentials are read correctly by the plugin:

[DEBUG] Setting: analyzer.ossindex.user=****
[DEBUG] Setting: analyzer.ossindex.password='********'
[DEBUG] Base URL: https://ossindex.sonatype.org/
[DEBUG] Requesting 109 un-cached component-reports
→ 402 Payment Required

Notice there is no [DEBUG] Adding user/pw ... as basic authorization line before the request is sent, which was present in older working versions.
Apache HttpClient does not send Authorization headers preemptively by default. It waits for a 401 challenge from the server. The server previously responded with 401 Unauthorized, which triggered the retry with credentials. After the Apr 29 cutover, the server responds with 402 Payment Required directly for requests without an Authorization header — the challenge-response cycle never starts, and credentials are never sent.

Verification: the same legacy token works correctly with curl (which sends Basic Auth preemptively with -u):

curl -u "[email protected]:LEGACY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"coordinates":["pkg:maven/org.apache.commons/[email protected]"]}' \
  https://ossindex.sonatype.org/api/v3/component-report
# → 200 OK

The Guide PAT also works via curl with Bearer Auth:

curl -H "Authorization: Bearer GUIDE_PAT" \
  -H "Content-Type: application/json" \
  -d '{"coordinates":["pkg:maven/org.apache.commons/[email protected]"]}' \
  https://api.guide.sonatype.com/api/v3/component-report
# → 200 OK

Proposed fix

ODCConnectionTransport should be updated to send the Authorization: Basic header preemptively on the first request, rather than waiting for a 401 challenge. This is a one-line change using Apache HttpClient 5's AuthCache / BasicScheme mechanism.
Alternatively (and more future-proof), adding support for Authorization: Bearer <Guide PAT> would allow users to migrate to the new token type, which would also resolve the authentication issue on api.guide.sonatype.com.