fix: migrate default OSS Index API URL to Sonatype Guide; supporting optional username#8404
Merged
jeremylong merged 5 commits intodependency-check:mainfrom Apr 12, 2026
Merged
Conversation
boring-cyborg
Bot
added
ant
chadlwilson
force-pushed
the
oss-index-to-guide
branch
from
935e78c to
0feb7a4
Compare
…compatibility API Signed-off-by: Chad Wilson <[email protected]>
chadlwilson
force-pushed
the
oss-index-to-guide
branch
3 times, most recently
from
608596d to
37e0345
Compare
chadlwilson
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates Dependency-Check’s OSS Index integration to align with Sonatype’s migration to Sonatype Guide by switching the default API base URL, making the OSS Index username optional when using Guide PATs, and updating related documentation/templates/tests to reflect the new auth/migration guidance.
Changes:
- Updated the default OSS Index API base URL to Sonatype Guide (
https://api.guide.sonatype.com) and refreshed documentation links throughout the site/docs/templates. - Updated OSS Index credential handling to support Guide PAT usage with optional username and added/adjusted warnings around legacy tokens and migration.
- Expanded/updated unit tests around OSS Index analyzer error handling and credential enable/disable behavior.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/site/markdown/related.md | Updates “related work” link from OSS Index to Sonatype Guide OSS Index page. |
| src/site/markdown/dependency-check-gradle/configuration.md | Documents new OSS Index base URL default and PAT-centric auth guidance for Gradle. |
| src/site/markdown/dependency-check-gradle/configuration-update.md | Minor doc table formatting update (NVD validForHours row). |
| src/site/markdown/dependency-check-gradle/configuration-aggregate.md | Mirrors Gradle config doc updates for aggregate task. |
| src/site/markdown/data/ossindex.md | Updates OSS Index documentation references to Sonatype Guide. |
| src/site/markdown/data/index.md | Updates external host list and OSS Index section links to Sonatype Guide. |
| src/site/markdown/analyzers/oss-index-analyzer.md | Adds migration guidance and clarifies mandatory authentication. |
| src/site/markdown/analyzers/index.md | Refreshes OSS Index analyzer row to Guide + auth-mandatory wording and reformats tables. |
| README.md | Updates OSS Index auth/migration messaging at the top-level README. |
| maven/src/site/markdown/configuration.md | Updates Maven plugin configuration docs for Guide URL + PAT/legacy token guidance. |
| maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java | Updates Maven plugin credential population to allow password-only (PAT) credentials via serverId and fixes a javadoc typo. |
| core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java | Refactors and expands OSS Index analyzer tests for Guide URL/reference and updated error messages. |
| core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyCheckPropertiesTest.java | Broadens “test analyzer” detection to exclude test/nested test analyzers more generally. |
| core/src/main/resources/templates/sarifReport.vsl | Updates OSS Index metadata link to Sonatype Guide page. |
| core/src/main/resources/templates/jsonReport.vsl | Updates OSS Index metadata link to Sonatype Guide page. |
| core/src/main/resources/templates/jenkinsReport.vsl | Updates OSS Index attribution link to Sonatype Guide page. |
| core/src/main/resources/templates/htmlReport.vsl | Updates OSS Index attribution link to Sonatype Guide page. |
| core/src/main/resources/dependencycheck.properties | Changes default OSS Index URL to https://api.guide.sonatype.com. |
| core/src/main/java/org/owasp/dependencycheck/data/ossindex/OssindexClientFactory.java | Sets a Guide default base URL and centralizes cache TTL constant. |
| core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java | Adjusts credential requirements (username optional for PATs), updates warnings/messages, and updates remote error messaging. |
| cli/src/site/markdown/arguments.md | Updates CLI argument descriptions/defaults for Guide base URL and PAT auth semantics. |
| cli/src/main/java/org/owasp/dependencycheck/CliParser.java | Updates CLI help text to reflect Guide base URL and deprecated username usage. |
| CHANGELOG.md | Updates historical changelog lines (removes outdated auth-required URL; updates Package URL link). |
| ant/src/site/markdown/configuration.md | Updates Ant configuration docs for Guide URL and PAT/legacy token behavior. |
| ant/src/site/markdown/config-update.md | Minor doc table formatting update (NVD validForHours row). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Chad Wilson <[email protected]>
Suspect these will break soon based on the documentation from Sonatype. Signed-off-by: Chad Wilson <[email protected]>
Signed-off-by: Chad Wilson <[email protected]>
chadlwilson
force-pushed
the
oss-index-to-guide
branch
from
d2ccaa8 to
43a59b3
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Collaborator
|
Will cut another release very soon. |
Collaborator
Author
Yup, no worries. Good to have a few days to fix any regressions from 12.2.1 (if any). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of Change
References
Related issues
Have test cases been added to cover the new functionality?
yes
Also tested