Code Monkey home page Code Monkey logo

ossindex-public's Introduction

Sonatype OSS Index - Public

license

maven-central

Provides API and clients for Sonatype OSS Index.

See Javadocs for API and client reference.

Using the client

To add a dependency on the OSS Index client, use the following:

<dependency>
  <groupId>org.sonatype.ossindex</groupId>
  <artifactId>ossindex-service-client</artifactId>
  <version>1.8.1</version>
</dependency>

Two options for transports are provided:

Building

Requirements

  • Apache Maven 3.3+ (prefer to use included mvnw)
  • JDK 7+ (10 is NOT supported)

Build

./mvnw clean install

Publish the docs

Checkout the release tag first, then:

  1. To do a dry run:

     ./mvnw clean javadoc:aggregate scm-publish:publish-scm -Pdocs -Dscmpublish.dryRun=true

  2. To publish:

     ./mvnw clean javadoc:aggregate scm-publish:publish-scm -Pdocs

ossindex-public's People

Contributors

brittanybelle avatar doddi avatar jdillon avatar ken-duck avatar ndonewar avatar qiming-c avatar scherzhaft avatar sonatype-zion avatar tneer avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

pks-os sschuberth anderruiz jeremylong ndonewar ossindex-test travisspencer isabella232 fpetrola

ossindex-public's Issues

Make username and password read from settings.xml

AFAIK if I want to use my own user/password to connect to the service, I have to set something like:

<plugin>
    <groupId>org.sonatype.ossindex.maven</groupId>
    <artifactId>ossindex-maven-plugin</artifactId>
    <version>1.0.0</version>
    <executions>
        <execution>
            <id>audit-dependencies</id>
            <phase>verify</phase>
            <goals>
                <goal>audit</goal>
            </goals>
        </execution>
    </executions>
    <configuration>
        <clientConfiguration>
            <authConfiguration>
                <username>foo</username>
                <password>bar</password>
            </authConfiguration>
        </clientConfiguration>
    </configuration>
</plugin>

It could be nice if we can define this username/password in an external file like ~/.m2/settings.xml as a ossindex server:

<settings>
    <servers>
        <server>
            <id>ossindex</id>
            <username>foo</username>
            <password>bar</password>
        </server>
    </servers>
</settings>

SSL Certificate Renewal Request

SSL Certificate expired for URL: https://ossindex.sonatype.org/api/v3/component-report
image

Error occurred in our gradle pipelines:

	AnalysisException: Failed to request component-reports
		caused by SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
		caused by ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
		caused by CertPathValidatorException: validity check failed
		caused by CertificateExpiredException: NotAfter: Wed May 25 23:59:59 GMT 2022

Incorrect URL encoded coordinates in REST response

Hi!
I've noticed that requesting coordinates containing "+" symbol in version, e.g. pkg:maven/org.antlr/antlr4@4.+ results in incorrectly encoded coordinates in response - "coordinates": "pkg:maven/org.antlr/antlr4@4.%20. This breaks matching request and response by coordinates.

Allow to ignore ssl errors with a system property

Hi,

Just met a case where I will have temporarly SSL errors calling ossindex (company proxy stuff).
It would be great to be able to disable the check and keep the plugin working instead of failing with a system property (like wagon) or maven parameter.
Here is the stack:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException (Alert.java:131)
    at sun.security.ssl.TransportContext.fatal (TransportContext.java:371)
    at sun.security.ssl.TransportContext.fatal (TransportContext.java:314)
    at sun.security.ssl.TransportContext.fatal (TransportContext.java:309)
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts (CertificateMessage.java:1357)
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate (CertificateMessage.java:1232)
    at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume (CertificateMessage.java:1175)
    at sun.security.ssl.SSLHandshake.consume (SSLHandshake.java:396)
    at sun.security.ssl.HandshakeContext.dispatch (HandshakeContext.java:480)
    at sun.security.ssl.HandshakeContext.dispatch (HandshakeContext.java:458)
    at sun.security.ssl.TransportContext.dispatch (TransportContext.java:201)
    at sun.security.ssl.SSLTransport.decode (SSLTransport.java:172)
    at sun.security.ssl.SSLSocketImpl.decode (SSLSocketImpl.java:1505)
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord (SSLSocketImpl.java:1420)
    at sun.security.ssl.SSLSocketImpl.startHandshake (SSLSocketImpl.java:455)
    at sun.security.ssl.SSLSocketImpl.startHandshake (SSLSocketImpl.java:426)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket (SSLConnectionSocketFactory.java:396)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade (DefaultHttpClientConnectionOperator.java:193)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade (PoolingHttpClientConnectionManager.java:389)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute (MainClientExec.java:416)
    at org.apache.http.impl.execchain.MainClientExec.execute (MainClientExec.java:237)
    at org.apache.http.impl.execchain.ProtocolExec.execute (ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute (RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute (RedirectExec.java:111)
    at org.apache.http.impl.client.InternalHttpClient.doExecute (InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute (CloseableHttpClient.java:108)
    at org.sonatype.ossindex.service.client.transport.HttpClientTransport.post (HttpClientTransport.java:87)

Side note: in maven plugin it would be very neat to respect wagon ones this way the config is unique.

OSSIndex API errors out on HTTP 500 with payload requesting report for an old jgroups version

As reported by a users of OWASP dependency-check (jeremylong/DependencyCheck#5154 (comment)) the OSSIndex API errors out (internal server error) on retrieval of a component-report of jgroups 2.6.21.Final.

[DEBUG] OSS Index Analyzer submitting: [pkg:maven/org.jgroups/[email protected]]
[DEBUG] Requesting 1 component-reports
[DEBUG] Requesting 1 un-cached component-reports
[DEBUG] POST https://ossindex.sonatype.org/api/v3/component-report; payload: {"coordinates":["pkg:maven/org.jgroups/[email protected]"]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500
    at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:217)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:134)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1136)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:635)
    at java.lang.Thread.run (Thread.java:833)

Swagger Docs Omit API Token

The user account settings (https://ossindex.sonatype.org/user/settings) provide a way to generate API Tokens for use with the service. However, the Swagger definition (https://ossindex.sonatype.org/swagger.json) does not specify how to send the API Token to the service.

Inspecting https://github.com/sonatype/ossindex-public/blob/master/client/src/main/java/org/sonatype/ossindex/service/client/transport/HttpUrlConnectionTransport.java#L124 reveals that the "Authorization" header is used. This should be documented in the Swagger definition.

Vulnerabilities missing due to user-agent

Apologies, as this is almost certainly the wrong place to be raising this but I didn't find anywhere more appropriate.

I'm currently using the lovely DependencyCheck plugin in a number of projects of mine and have noticed a discrepancy in reported vulnerabilities for at least one dependency depending on the user-agent used to make the request.

javax.mail:mail:1.5.0-b01 has 1 reported vulnerability, sonatype-2017-0492. When you use the below curl to grab any/all vulnerabilities, you'll receive it no problem.

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:maven/javax.mail/[email protected]"
  ]
}'

[{"coordinates":"pkg:maven/javax.mail/[email protected]","description":"","reference":"https://ossindex.sonatype.org/component/pkg:maven/javax.mail/[email protected]?utm_source=curl&utm_medium=integration&utm_content=7.80.0","vulnerabilities":[{"id":"sonatype-2017-0492","displayName":"sonatype-2017-0492","title":"1 vulnerability found","description":"1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this information using your registered account","cvssScore":4.3,"cvssVector":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","cwe":"CWE-699","reference":"https://ossindex.sonatype.org/vulnerability/sonatype-2017-0492","externalReferences":[]}]}]

However if you add a user-agent starting with "dependency-check" then the response will no longer include the previously found vulnerability.

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -A 'dependency-check/7.1.1 (Windows 10; 10.0; amd64; 11.0.14.1)' \
  -d '{
  "coordinates": [
    "pkg:maven/javax.mail/[email protected]"
  ]
}'

[{"coordinates":"pkg:maven/javax.mail/[email protected]","description":"","reference":"https://ossindex.sonatype.org/component/pkg:maven/javax.mail/[email protected]?utm_source=dependency-check&utm_medium=integration","vulnerabilities":[]}]

I've had a glance through the source code here in the hopes there's some piece of documentation that explains why the API server itself is being influenced in this manner by the user-agent but I haven't seen anything. My best guess is something around wanting to avoid reporting duplicate vulnerabilities for DependencyCheck since it's also going to search the NVD for them back when support for OSS was first added. In this case however, the vulnerability in question doesn't appear in the NVD.

Is anybody with access to the source for the API server or just a better background with this able to elaborate on the behavior? It's got me concerned there may be a small treasure trove of more reported vulnerabilities in the OSS Index I'm not seeing because I use DependencyCheck.

Cheers

Externalreferences in practice appears to be (temporarily?) nullable, but is not marked as such

In a comment on an OWASP DependencyCheck issue jeremylong/DependencyCheck#3707 (comment) a NullPointerException surfaced when DependencyCheck was dereferencing the externalReferences of a ComponentReportVulnerability from a retrieved report for pkg:maven/com.thoughtworks.xstream/[email protected].
As other methods in the API are clearly marked as @Nullable this to me is an unexpected NullPointerException. If the API can (temporarily) return vulnerabilities with no external references the method should either be annotated with @Nullable or the getter should null-check and return an empty list for the null-case
When (re)testing for the same library I could not reproduce. My assumption is that by the time I tried the affected vulnerability had been enriched by its external references.
If the API is not expected to respond with null-valued externalReferences for any vulnerability there appears to be a transactional hole in between registering a vulnerability and its externalReferences that would allow the API to return invalid responses.

ossindex-public/api/src/main/java/org/sonatype/ossindex/service/api/componentreport/ComponentReportVulnerability.java

Lines 211 to 216 in 27d7bac

/**
* @since 1.8.0
*/
public List<URI> getExternalReferences() {
return externalReferences;
}

component-report request returns 500 when '/' is URL encoded

Apologies if this is the wrong place for this.

Using Dependency Check maven plugin 6.5.3, it looks like it URL encodes / as %2F. e.g. pkg:npm/%40babel%[email protected].

POST requests to https://ossindex.sonatype.org/api/v3/component-report are returning a 500 when %2F is included.

Dependency Check logs:

[DEBUG] Requesting 1473 component-reports
[DEBUG] Requesting 128 un-cached component-reports
[DEBUG] POST https://ossindex.sonatype.org/api/v3/component-report; payload: {"coordinates":["pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40adobe%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40carbon%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%2Fplugin-bugfix-safari-id-destructuring-collision-in-function-expression@7.18.6","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40apideck%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40ampproject%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40carbon%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40bcoe%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40jridgewell%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40carbon%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]","pkg:npm/%40babel%[email protected]"]} (application/vnd.ossindex.component-report-request.v1+json); accept: application/vnd.ossindex.component-report.v1+json
[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500
    at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post (HttpUrlConnectionTransport.java:106)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports (OssindexClientImpl.java:204)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:170)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports (OssIndexAnalyzer.java:212)
    at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency (OssIndexAnalyzer.java:140)
    at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze (AbstractAnalyzer.java:131)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:88)
    at org.owasp.dependencycheck.AnalysisTask.call (AnalysisTask.java:37)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:871)

Making the same request from https://ossindex.sonatype.org/rest returns 500 also.

If %2F's are replaced with /'s then the request is successful.

To reproduce:

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/authorized/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'authorization: Basic $TOKEN' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:npm/%40babel%[email protected]"
  ]
}
'

returns:

{
  "code": 500,
  "message": "There was an error processing your request. It has been logged (ID 8122e3b1446462e1)."
}

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/authorized/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'authorization: Basic $TOKEN' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:npm/%40babel/[email protected]"
  ]
}
'

returns:

200
[
  {
    "coordinates": "pkg:npm/%40babel/[email protected]",
    "description": "Compile ES2015 Unicode regex to ES5",
    "reference": "https://ossindex.sonatype.org/component/pkg:npm/%40babel/[email protected]?utm_source=mozilla&utm_medium=integration&utm_content=5.0",
    "vulnerabilities": []
  }
]

Clarify on the status of a CLA requirement to contribute

I believe the origin of the change is fairly clear with the comment and link to the PR and discussion.

As mentioned, I disagree. There's a reason why Git makes a difference between the author and the committer, and I'm not the author of these commits anymore.

I believe I prematurely consumed your change without first checking your CLA status

I wasn't even aware that signing a CLA is necessary! Neither the README.md nor any CONTRIBUTING.md mentions this. If signing a CLA is required, I urge you to add an according check e.g. via https://github.com/cla-assistant/cla-assistant. Or better yet, use the DCO and https://github.com/probot/dco instead.

Anyway, if I knew a CLA needs to be signed, I wouldn't have contributed. I need to make up my mind what to do now that the contribution already happened.

We will revisit our process for consuming changes to see if we can make any improvements in this area.

Thank you, and yes please, your process needs to be revisited and changed so that authorship in Git history is maintained.

Originally posted by @sschuberth in #6 (comment)

Implement a Transport based on OkHttp

OkHttp is a very popular HTTP library. As it's likely already in use in a user's dependency stack, it would be nice to have a Transport implementation that uses OkHttp so that such users don't need to introduce a dependency on another HTTP library.

Status 500

Is all good on server side? My scheduled requests which worked so far got status 500:

{'_content': b'{"code":500,"message":"There was an error processing your request. It has been logged (ID e5ba184ffc84a17a)."}', '_content_consumed': True, '_next': None, 'status_code': 500, 'headers': {'Date': 'Tue, 14 Mar 2023 13:58:56 GMT', 'Content-Type': 'application/json', 'Content-Length': '110', 'Connection': 'keep-alive', port=None, port_specified=False, domain='ossindex.sonatype.org', domain_specified=False, domain_initial_dot=False, path='/', path_specified=True, secure=True, expires=1679407136, discard=False, comment=None, comment_url=None, rest={'SameSite': 'None'}, rfc2109=False)]>, 'elapsed': datetime.timedelta(0, 0, 121188), 'request': <PreparedRequest [POST]>, 'connection': <requests.adapters.HTTPAdapter object at 0x7f60b44f26d8>}

API call : rate limit

Hello,

I want to use the Sonatype OSS Index API. In the documentation it says that there is a limit to the number of requests allowed. This limit is higher in the case of creating an account. How high is this limit (I did not find the information)?

Extract from the documentation :

Rate and request metric limits apply to requests. If limits are exceeded then responses will indicate 429 Too many requests status. There are a number of request metrics that may trigger the 429 status.
Authenticated requests have a higher limit. Register for an account and authenticate requests to get a higher limit.

Thanks,

Rémy

add namespaces for the conda ecosystem?

Hi folks, and thanks for the OSSIndex.

We just packaged jake for conda-forge, but then immediately found that it only pulls from (presumably) repo.anaconda.com. Or something.

For the last few years, conda-forge has been the upstream of those packages, which are increasingly complicated to use by Anaconda, Inc's terms of service. In addition, conda-forge provides about 5x as many packages (including large numbers from msys and cran) and releases far more frequently.

The conda-forge packages have canonical releases as both GitHub releases (it's just really big, but the API works fine) as well as distribution through anaconda.org.

As it appears other ecosystems were able to have namespaces added, e.g. npm, it seems like it should be possible, and would be greatly appreciated by the conda community, to also add these for the conda ecosystem: aside from conda-forge, number of other channels are very important to their respective communities, including bioconda, pytorch, etc.

We've also got this isssue to discuss how we might use this, such as helping gate the introduction of new packages (and their dependencies) through the extensive automation process provided by conda-forge.

Thanks again!

Separate Fields for Native VulnID and Source

Currently, the response from ossindex api contains more than one type of data in a single field leading to non-deterministic behavior.

Current response:

{
  "id": "2a9810aa-3800-4e8e-8071-636e81c98386",
  "title": "[CVE-2014-3577] org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient",
 ...
}

The brackets appear to be optional, and the combining of a description, native vulnId, and an ambiguous source makes the title in its current format, extremely difficult to parse and perform an action on in an automated way.

Proposed response:

{
  "id": "2a9810aa-3800-4e8e-8071-636e81c98386",
  "vulnId": "CVE-2014-3577",
  "source": "NVD",
  "title": "org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient",
 ...
}

For items that do not have a single source of truth (i.e. a vuln identified from a GitHub issue), then simply leave the vulnId blank.

OssIndex HTTP 500 error

during running dependencycheck for node.js project get HTTP 500

DEBUG - unexpected error
org.owasp.dependencycheck.analyzer.exception.AnalysisException: Failed to request component-reports
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:155)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500
at org.sonatype.ossindex.service.client.transport.HttpUrlConnectionTransport.post(HttpUrlConnectionTransport.java:106)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.doRequestComponentReports(OssindexClientImpl.java:204)
at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports(OssindexClientImpl.java:170)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.requestReports(OssIndexAnalyzer.java:219)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:134)

oss index unexpected response; status 500

Since Jan 13 2023 we have been errors on dependency-check when building packages
We are using maven plugin 3.6.2 and dependency check plugin 8.0.0

Caused by: org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: 500

example 1
[WARNING] An error occurred while analyzing '.../.m2/repository/javax/ejb/javax.ejb-api/3.2.2/javax.ejb-api-3.2.2.jar' (Sonatype OSS Index Analyzer). [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:aggregate (default-cli) on project {appname}-parent: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis: [ERROR] Failed to request component-reports

example 2
[WARNING] An error occurred while analyzing '.../.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar' (Sonatype OSS Index Analyzer) [ERROR] Failed to execute goal org.owasp:dependency-check-maven:5.3.0:aggregate (default-cli) on project {appname}-parent: One or more exceptions occurred during dependency-check analysis: One or more exceptions occurred during analysis: [ERROR] Failed to request component-reports

Narrowed it down to two packages listed in ossindex but not available on maven, 404 not found

https://ossindex.sonatype.org/search?type=maven&q=org.jboss.cache
https://repo1.maven.org/maven2/org/jboss/cache/jbosscache-core/

https://ossindex.sonatype.org/component/pkg:maven/net.sf.ehcache/sizeof-agent
https://repo1.maven.org/maven2/net/sf/ehcache/sizeof-agent/

Cant pass several components

I can't pass several components into search

examples

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:deb/debian/[email protected]"
  ]
}'

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:deb/debian/[email protected]%20b1"
  ]
}'

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:deb/debian/[email protected]"
  ]
}'

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:deb/debian/[email protected]%20deb8u1"
  ]
}'

curl -X 'POST' \
  'https://ossindex.sonatype.org/api/v3/component-report' \
  -H 'accept: application/vnd.ossindex.component-report.v1+json' \
  -H 'Content-Type: application/vnd.ossindex.component-report-request.v1+json' \
  -d '{
  "coordinates": [
    "pkg:deb/debian/[email protected]%20deb8u2"
  ]
}'

I even cannot guess what is wrong here

Client as used by dependency-check-maven fails with NullPointerException

There are many reports of suddenly failing builds using org.owasp:dependency-check-maven -plugin. That plugin uses this library to make requests to OSS Index.

Most reports seem to go along the lines of:

[DEBUG] Connecting to: https://ossindex.sonatype.org/api/v3/component-report
[DEBUG] Error requesting component reports
java.lang.NullPointerException
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryKey (DirectoryCache.java:149)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.entryFile (DirectoryCache.java:157)
    at org.sonatype.ossindex.service.client.cache.DirectoryCache.putAll (DirectoryCache.java:134)
    at org.sonatype.ossindex.service.client.internal.OssindexClientImpl.requestComponentReports (OssindexClientImpl.java:171)

jeremylong/DependencyCheck#4538

[DepShield] (CVSS 5.9) Vulnerability due to usage of com.google.guava:guava:20.0

Vulnerabilities

DepShield reports that this application's usage of com.google.guava:guava:20.0 results in the following vulnerability(s):

Occurrences

com.google.guava:guava:20.0 is a transitive dependency introduced by the following direct dependency(s):

com.google.guava:guava:20.0

com.google.guava:guava:20.0

This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.

CVE-2022-25647 ossindex-service-client contains vulnerable dependency gson v2.8.5

ossindex-public/ossindex-service-client v1.8.1 is using a version of gson library which is vulnerable to CVE-2022-25647. The issue is fixed in gson v2.8.9+

See https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327 and google/gson#1991 for details on the CVE.
https://nvd.nist.gov/vuln/detail/CVE-2022-25647 is unforntunately only registered so far.

Vulnerable gson version is defined at https://github.com/sonatype/ossindex-public/blob/main/bom/pom.xml#L71

OSS Repository Down?

Hello, this morning all of our projects are throwing this:

org.sonatype.ossindex.service.client.transport.Transport$TransportException: Unexpected response; status: HTTP/1.1 500 Internal Server Error
at org.sonatype.ossindex.service.client.transport.HttpClientTransport.post (HttpClientTransport.java:101)

Component report throws error 500 for [email protected] package

When I try to send POST request to https://ossindex.sonatype.org/api/v3/component-report with a payload

{
   "coordinates":[
        "pkg:npm/[email protected]"
    ]
}

the response contains code 500

{
    "code": 500,
    "message": "There was an error processing your request. It has been logged (ID d9bb96fc74c4f8d3)."
}

This issue breaks our build which calls OSS index component report with a number of packages in the POST body, but after analyses we found out that the package that triggers the error 500 is [email protected].

CVSS version mismatch

The api endpoint at https://ossindex.sonatype.org/api/v3/component-report
returns a CVSSv3.1 vector, but the library ossindex-service-client defaults to "CVSSv2" because it does not start with "CVSSv3.0":

ossindex-public/api/src/main/java/org/sonatype/ossindex/service/api/cvss/CvssVectorFactory.java

Lines 34 to 37 in 12b5be0

if (value.startsWith(Cvss3Vector.PREAMBLE)) {
return new Cvss3Vector(value);
}
return new Cvss2Vector(value);

This bug results in the following issue over at OWASP dependency check:
jeremylong/DependencyCheck#5598

Account Creation Error

When attempting to create an account, you are presented with a HTTP 500 Error if using an email account which is already associated with a login. OSSIndex should simply present a notice to user that the email is already in use.

image (2)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.