Skip to content

docs: Fix OSS Index Maven config documentation#7322

Merged
jeremylong merged 1 commit intodependency-check:mainfrom
marcelstoer:fix/oss-index-maven-doc
Jan 17, 2025
Merged

docs: Fix OSS Index Maven config documentation#7322
jeremylong merged 1 commit intodependency-check:mainfrom
marcelstoer:fix/oss-index-maven-doc

Conversation

@marcelstoer
Copy link
Copy Markdown
Collaborator

@marcelstoer marcelstoer commented Jan 16, 2025
edited
Loading 

❯ grep -ir "property = \"ossindex" *
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java:    @Parameter(property = "ossindexAnalyzerEnabled")
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java:    @Parameter(property = "ossindexAnalyzerUseCache")
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java:    @Parameter(property = "ossindexAnalyzerUrl")
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java:    @Parameter(property = "ossIndexServerId")
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java:    @Parameter(property = "ossIndexWarnOnlyOnRemoteErrors")

There are exactly two properties where "OSS Index" is correctly camel-cased. Yet, one of them was incorrect in the documentation.

I suggest you consider renaming the other three properties and their documentation with the next major version as fixing this is a breaking change.

Background story

I wanted to use a registered OSS account as we hit their rate limit today. At some point during the testing phase we were freed from the rate limit but I didn't know whether that was because I had configured user/pw in the settings.xml or whether time solved it for us. I ran Maven in debug mode to see wether the ODC output would give me any hints whether it used the configured OSS server credentials or not. I didn't find anything. I then started mitmproxy and inspected the requests against OSS - only to find that they didn't have an Authorization header. That's when I started digging why my -DossindexServerId= was ignored.

Is there a simpler method available to verify that remote server credentials are applied?

@boring-cyborg boring-cyborg Bot added documentation site documentation maven changes to the maven plugin labels Jan 16, 2025
@marcelstoer marcelstoer changed the title Fix OSS Index Maven config documentation docs: Fix OSS Index Maven config documentation Jan 16, 2025
jeremylong
jeremylong approved these changes Jan 17, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jeremylong
Copy link
Copy Markdown
Collaborator

jeremylong commented Jan 17, 2025

We likely need to add some logging indicating that credentials are being used for a particular connection.

@jeremylong jeremylong merged commit eb6be01 into dependency-check:main Jan 17, 2025
@jeremylong jeremylong added this to the 12.0.1 milestone Jan 17, 2025
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Feb 17, 2025
@marcelstoer marcelstoer deleted the fix/oss-index-maven-doc branch June 26, 2025 20:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

documentation site documentation maven changes to the maven plugin

Projects

None yet

Milestone

12.0.1

Development

Successfully merging this pull request may close these issues.

2 participants

@marcelstoer @jeremylong