Skip to content

feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting#8451

Merged
jeremylong merged 6 commits intodependency-check:mainfrom
chadlwilson:improve-ossindex-error-handling
Apr 29, 2026
Merged

feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting#8451
jeremylong merged 6 commits intodependency-check:mainfrom
chadlwilson:improve-ossindex-error-handling

Conversation

@chadlwilson
Copy link
Copy Markdown
Collaborator

@chadlwilson chadlwilson commented Apr 26, 2026
edited
Loading

Description of Change

As floated vaguely at #8450 makes a few improvements to the OSS Index Analyzer to better support the new Sonatype Guide compatibility API

  • allows configuration of the cache validity time (default 24 hours) to support checking OSS index less frequently and thus consume fewer credits
  • makes the 402 Payment Required response specifically handled with dedicated error message
  • only retries "non-fatal" errors, loosely defined.
    • OSS Index queries are batched internally. Previously all errors on batch queries from OSS index are retried 'n' times, where 'n' is the number of components you have.
    • This is rather wasteful/slow, especially if using the opt-in delay between requests.
    • This change properly classifies errors as "fatal" vs "non-fatal" and only retries non-fatal ones. Errors are assumed to be non-fatal by default; currently with my proposed impl authentication/authorization/payment-required errors are considered "fatal". We can tweak this as required

Smaller tweaks

  • improves the testing of both configuration and analysis. Lots of untested functionality existed there.
  • de-duplicates PURLs before submitting; so the logged contents/sizes are more reflective of what will be sent; aiding debugging

Related issues

Have test cases been added to cover the new functionality?

yes

@chadlwilson
chore: aid debugging by de-duplicating PURLs before submitting to Oss…
80d6178 
…indexClient

The client already de-duplicates these via their equality before constructing a batch; but doing so here
makes the logged values consistent with what is actually submitted (assuming empty/disabled cache) which
makes debugging easier.

Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson
fix: handle HTTP 402 "payment required" error from Sonatype Guide due…
44fca3b 
… to insufficient credits

Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson
chore: correct some historical OSSIndex capitalization inconsistencies
10f199c 
Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson
feat: allow configuration of the Sonatype Guide / OSS Index cache val…
38c0006 
…idity length

Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson
chore: tidy extraction code
f7fca59 
Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson
fix: only retry non-fatal Sonatype Guide / OSS Index errors
d79e2d0 
Signed-off-by: Chad Wilson <[email protected]>
@chadlwilson chadlwilson requested a review from Copilot April 26, 2026 17:54
@boring-cyborg boring-cyborg Bot added ant changes to ant cli changes to the cli core changes to core documentation site documentation maven changes to the maven plugin tests test cases utils changes to utils labels Apr 26, 2026
@chadlwilson chadlwilson mentioned this pull request Apr 26, 2026
Merged
Copilot AI reviewed Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Sonatype OSS Index analyzer integration to better align with the Sonatype Guide compatibility API by improving cache configurability, error handling/reporting, and related test coverage.

Changes:

  • Add a configurable OSS Index cache validity window (default 24h) across CLI/Maven/Ant (and documented for Gradle).
  • Improve OSS Index error classification/messaging (including explicit handling for HTTP 402) and reduce wasteful retries for fatal errors.
  • Add/refactor tests and test helpers around OSS Index client creation/config and analyzer error behaviors; deduplicate PURLs prior to submission.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java Adds new settings key for OSS Index cache validity duration.
src/site/markdown/dependency-check-gradle/configuration.md Documents new Gradle validForHours setting for OSS Index caching.
src/site/markdown/dependency-check-gradle/configuration-aggregate.md Documents new Gradle validForHours setting for aggregate configuration.
maven/src/site/markdown/configuration.md Documents new Maven cache validity setting separate from cache enablement.
maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java Wires new Maven parameter into core settings.
maven/src/it/2494-managed-reactor-dependencies/pom.xml Updates IT config to use the non-deprecated OSS Index enable property name.
core/src/test/resources/dependencycheck.properties Adjusts test config commentary around disabling OSS Index analyzer.
core/src/test/java/org/owasp/dependencycheck/data/ossindex/OssIndexHelper.java Adds reusable OSS Index test helpers and static mocking utilities.
core/src/test/java/org/owasp/dependencycheck/data/ossindex/OssIndexClientProviderTest.java Adds test coverage for default/custom cache config and transport setup.
core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java Refactors/expands analyzer tests for error handling, retries, and enrichment behavior.
core/src/main/java/org/owasp/dependencycheck/data/ossindex/OssIndexClientProvider.java Renames/refactors OSS Index client creation and adds configurable cache expiry.
core/src/main/java/org/owasp/dependencycheck/data/ossindex/ODCConnectionTransport.java Adds package-private access to user agent for testing.
core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java Implements improved batching/dedup, error classification, and retry/disable behavior.
cli/src/site/markdown/arguments.md Documents new CLI argument for OSS Index cache validity window.
cli/src/main/resources/completion-for-dependency-check.sh Adds new CLI option completions for OSS Index cache validity and related args.
cli/src/main/java/org/owasp/dependencycheck/CliParser.java Adds CLI option and argument constant for OSS Index cache validity.
cli/src/main/java/org/owasp/dependencycheck/App.java Maps new CLI option into settings (ANALYZER_OSSINDEX_CACHE_VALID_FOR_HOURS).
ant/src/test/resources/build.xml Updates Ant test build configs to use non-deprecated OSS Index attribute naming.
ant/src/site/markdown/configuration.md Documents new Ant cache validity setting.
ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java Adds Ant task support for cache validity and aligns naming with non-deprecated attributes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
Comment thread core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
Comment thread core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
@chadlwilson chadlwilson changed the title feat: improve Sonatype Guide / OSS Index cache handling and error reporting feat: improve Sonatype Guide / OSS Index cache handling and insufficient credits error reporting Apr 27, 2026
marcelstoer
marcelstoer approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@marcelstoer marcelstoer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jeremylong jeremylong added this to the 12.2.2 milestone Apr 29, 2026
@jeremylong jeremylong merged commit 9acbb33 into dependency-check:main Apr 29, 2026
20 of 21 checks passed
@chadlwilson chadlwilson deleted the improve-ossindex-error-handling branch April 29, 2026 12:49
@chadlwilson
Copy link
Copy Markdown
Collaborator Author

chadlwilson commented Apr 29, 2026

Thanks for taking a look!

The matching Gradle plugin PR is at dependency-check/dependency-check-gradle#507 and is now passing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jeremylong jeremylong jeremylong approved these changes

+1 more reviewer

@marcelstoer marcelstoer marcelstoer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ant changes to ant cli changes to the cli core changes to core documentation site documentation maven changes to the maven plugin tests test cases utils changes to utils

Projects

None yet

Milestone

12.2.2

Development

Successfully merging this pull request may close these issues.

4 participants

@chadlwilson @marcelstoer @jeremylong