Skip to content

fix(oss-index)!: Rework OSS Index authentication #10866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 22, 2025
Merged

fix(oss-index)!: Rework OSS Index authentication #10866

merged 1 commit into from
Sep 22, 2025
+18 −24

Conversation

sschuberth
Copy link
Member

As of September 22nd, 2025, authentication will be mandatory, see 1. Reflect that by making respective properties non-nullable. While at it, also make the username a non-Secret and use a more fitting token property.

BREAKING CHANGE: Users need to move their configured username property from the secrets to the options section, and rename the password property in the secrets section to token.

@sschuberth sschuberth requested a review from a team as a code owner September 18, 2025 09:42
@sschuberth sschuberth enabled auto-merge (rebase) September 18, 2025 09:42
@codecov Codecov
Copy link

codecov bot commented Sep 18, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.53%. Comparing base (cbb580d) to head (f83aed1).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main   #10866   +/-   ##
=========================================
  Coverage     57.53%   57.53%           
  Complexity     1698     1698           
=========================================
  Files           346      346           
  Lines         12823    12823           
  Branches       1212     1212           
=========================================
  Hits           7378     7378           
  Misses         4978     4978           
  Partials        467      467
Flag Coverage Δ
funTest-docker 71.03% <ø> (+0.04%) ⬆️
funTest-non-docker 32.87% <ø> (ø)
test-ubuntu-24.04 42.25% <ø> (ø)
test-windows-2025 42.23% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

fviernau
fviernau requested changes Sep 18, 2025
View reviewed changes
plugins/advisors/oss-index/src/main/kotlin/OssIndex.kt Outdated

private val getComponentReport by lazy {
val hasCredentials = config.username != null && config.password != null
val hasCredentials = config.username.isNotEmpty() && config.token.value.isNotEmpty()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this if/else still valid? Or is service::getComponentReport, which I assume is "unauthenticated", now invalid (and should be removed) ?

Copy link
Member

@fviernau fviernau Sep 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: The hasCredentials check could be "inlined" and moved before the forEach loop in retrievePackageFindings() IIUC.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've moved removed the unauthenticated endpoint from the OSS Index client completely and adjusted the code accordingly.

@sschuberth
fix(oss-index)!: Rework OSS Index authentication
f83aed1 
As of September 22nd, 2025, authentication will be mandatory, see [1].
Reflect that by making respective properties non-nullable. While at it,
also make the `username` a non-`Secret` and use a more fitting `token`
property name.

While at it also remove the unauthenticated endpoint from the OSS Index
client implementation completely.

BREAKING CHANGE: Users need to move their configured `username` property
from the `secrets` to the `options` section, and rename the `password`
property to `token` in the `secrets` section.

[1]: https://ossindex.sonatype.org/doc/auth-required

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth sschuberth requested review from fviernau and a team September 19, 2025 08:21
@sschuberth sschuberth merged commit 07859c3 into main Sep 22, 2025
33 of 34 checks passed
@sschuberth sschuberth deleted the oss-index-auth branch September 22, 2025 06:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fviernau fviernau fviernau approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sschuberth @fviernau