fix: 7093 add username/password properties to be able to authenticate for central.content.url and analyzer.central.url again (#7169)

drijkersbq · web-flow · commit 20e344c91791 · 2024-12-02T08:33:19.000-05:00
diff --git a/cli/src/main/java/org/owasp/dependencycheck/App.java b/cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -604,6 +604,10 @@ protected void populateSettings(CliParser cli) throws InvalidSettingException {
                 cli.hasOption(CliParser.ARGUMENT.ENABLE_NEXUS));
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL,
                 cli.getStringArgument(CliParser.ARGUMENT.CENTRAL_URL));
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_USER,
+                cli.getStringArgument(CliParser.ARGUMENT.CENTRAL_USERNAME));
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_PASSWORD,
+                cli.getStringArgument(CliParser.ARGUMENT.CENTRAL_PASSWORD));
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL,
                 cli.getStringArgument(CliParser.ARGUMENT.OSSINDEX_URL));
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER,
diff --git a/cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -1360,6 +1360,14 @@ public static class ARGUMENT {
          * The alternative URL for Maven Central Search.
          */
         public static final String CENTRAL_URL = "centralUrl";
+        /**
+         * The username for the alternative Maven Central Search.
+         */
+        public static final String CENTRAL_USERNAME = "centralUsername";
+        /**
+         * The password for the alternative Maven Central Search.
+         */
+        public static final String CENTRAL_PASSWORD = "centralPassword";
         /**
          * Disables the Nexus Analyzer.
          */
diff --git a/cli/src/site/markdown/arguments.md b/cli/src/site/markdown/arguments.md
@@ -86,6 +86,8 @@ Advanced Options
 |       | \-\-disableCentral                    |                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Artifactory or Nexus Analyzer. | &nbsp; |
 |       | \-\-disableCentralCache               |                 | When the argument is present the Central Analyzer will not cache results locally. By default results are cached locally for 30 days.                                                                                                                                                                                               | &nbsp;        |
 |       | \-\-centralUrl                        |                 | Alternative URL for Maven Central Search. If not set the public Sonatype Maven Central will be used.                                                                                                                                                                                                                               | https://search.maven.org/solrsearch/select |
+|       | \-\-centralUsername                   |                 | The username to authenticate to the alternative Maven Central url set by the 'centralUrl' argument. If not set it will use an unauthenticated connection.                                                                                                                                                                          | &nbsp;        |
+|       | \-\-centralPassword                   |                 | The password to authenticate to the alternative Maven Central url set by the 'centralUrl' argument. If not set it will use an unauthenticated connection.                                                                                                                                                                          | &nbsp;        |
 |       | \-\-enableNexus                       |                 | Sets whether the Nexus Analyzer will be used (requires Nexus v2 or Pro v3). You can configure the Nexus URL to utilize an internally hosted Nexus server.                                                                                                                                                                          | &nbsp;        |
 |       | \-\-enableArtifactory                 |                 | Sets whether Artifactory analyzer will be used                                                                                                                                                                                                                                                                                     | &nbsp;        |
 |       | \-\-artifactoryUrl                    | \<url\>         | The Artifactory server URL.                                                                                                                                                                                                                                                                                                        | &nbsp;        |
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
@@ -175,6 +175,8 @@ public void configure(Settings settings) throws InvalidSettingException {
         tryAddHostedSuppressionCredentials(settings, credentialsProvider);
         tryAddKEVCredentials(settings, credentialsProvider);
         tryAddNexusAnalyzerCredentials(settings, credentialsProvider);
+        tryAddCentralAnalyzerCredentials(settings, credentialsProvider);
+        tryAddCentralContentCredentials(settings, credentialsProvider);
         tryAddNVDApiDatafeed(settings, credentialsProvider);
         httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
         httpClientBuilderExplicitNoproxy.setDefaultCredentialsProvider(credentialsProvider);
@@ -220,6 +222,26 @@ private void tryAddNexusAnalyzerCredentials(Settings settings, CredentialsStore
         }
     }
 
+    private void tryAddCentralAnalyzerCredentials(Settings settings, CredentialsStore credentialsStore) throws InvalidSettingException {
+        if (settings.getString(Settings.KEYS.ANALYZER_CENTRAL_PASSWORD) != null) {
+            addUserPasswordCreds(settings, credentialsStore,
+                    Settings.KEYS.ANALYZER_CENTRAL_USER,
+                    Settings.KEYS.ANALYZER_CENTRAL_URL,
+                    Settings.KEYS.ANALYZER_CENTRAL_PASSWORD,
+                    "Central Analyzer");
+        }
+    }
+
+    private void tryAddCentralContentCredentials(Settings settings, CredentialsStore credentialsStore) throws InvalidSettingException {
+        if (settings.getString(Settings.KEYS.CENTRAL_CONTENT_PASSWORD) != null) {
+            addUserPasswordCreds(settings, credentialsStore,
+                    Settings.KEYS.CENTRAL_CONTENT_USER,
+                    Settings.KEYS.CENTRAL_CONTENT_URL,
+                    Settings.KEYS.CENTRAL_CONTENT_PASSWORD,
+                    "Central Content");
+        }
+    }
+
     private void tryAddNVDApiDatafeed(Settings settings, CredentialsStore credentialsStore) throws InvalidSettingException {
         if (settings.getString(Settings.KEYS.NVD_API_DATAFEED_PASSWORD) != null) {
             addUserPasswordCreds(settings, credentialsStore,
diff --git a/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -620,6 +620,14 @@ public static final class KEYS {
          * Key for the URL to obtain content from Maven Central.
          */
         public static final String CENTRAL_CONTENT_URL = "central.content.url";
+        /**
+         * Key for the Username to obtain content from Maven Central.
+         */
+        public static final String CENTRAL_CONTENT_USER = "central.content.username";
+        /**
+         * Key for the Password to obtain content from Maven Central.
+         */
+        public static final String CENTRAL_CONTENT_PASSWORD = "central.content.password";
         /**
          * The properties key for whether the Central analyzer should use
          * parallel processing.
@@ -656,6 +664,14 @@ public static final class KEYS {
          * The properties key for the Central search URL.
          */
         public static final String ANALYZER_CENTRAL_URL = "analyzer.central.url";
+        /**
+         * The properties key for the Central search username.
+         */
+        public static final String ANALYZER_CENTRAL_USER = "analyzer.central.username";
+        /**
+         * The properties key for the Central search password.
+         */
+        public static final String ANALYZER_CENTRAL_PASSWORD = "analyzer.central.password";
         /**
          * The properties key for the Central search query.
          */
