OSS Index API Transition to Sonatype Guide

[brianf]

I want to provide early notice of an upcoming change to OSS Index.
For many years, OSS Index has delivered free, high-quality open source vulnerability intelligence to the broader ecosystem, including users of tools such as Dependency-Track. As modern development practices evolve, particularly with automation and AI-assisted coding, the way risk is introduced into software has changed. In response, we are evolving our strategy.

Over the coming weeks, the OSS Index API will transition into Sonatype Guide.

Please note:
The OSS Index API will continue to be available via compatibility API in Sonatype Guide, with a free tier and much improved UX.
Credit limits are not yet being enforced but will begin April 28
Clear options will be provided for users to either continue using OSS Index or transition to Guide capabilities as their needs evolve
We will share more detailed guidance ahead of any required action. For now, this is intended as advance notice so your team can plan appropriately.
Thank you for being part of the OSS Index community.,
Brian Fox
CTO, Sonatype

[nscuro]

Question by @caiocfonseca1 from #5871:

Following the annoucement from Sonatype (#5868) about the migration of OSS index api. I understand that there isn't a lot of information about, but it is possible to know if any changes on Dependency-Track will be needed? Or if this this changes will affect only the billing part of the Sonatype API?

The OSS Index integration will continue to work as-is. The only action you may need to take will be to change the OSS Index API URL in the Dependency-Track admin panel. The ability to do this was added for v4.14.0 which we are planning to release on Monday.

I am not yet clear if and when Sonatype may require the URL to be changed, but I'd expect comms on that in the short term. So far, quoting their own announcement (https://www.sonatype.com/products/sonatype-guide/oss-index-users):

We recognize that the OSS Index is critical infrastructure for many developers and organizations.

• The OSS Index API will continue to be available via compatibility API in Sonatype Guide.
• Users can expect continued compatibility with existing integrations such as Dependency-Track and Dependency-Check.
• Users will have clear options to continue using OSS Index or transition to Guide as needs evolve.
• Updated packages (free and paid) through Guide will be published to support predictable usage at scale.

[caiocfonseca1]

Thanks for the reply @nscuro . We are still on 4.12.x so probably will need to update if the URL needs to be changed.

@brianf Will sonatype communicate to the users when (and if) the url will have to be changed? What is the best way for us to be up-to-date with this updates? Thanks in advance.

[nscuro]

Brian and Sonatype are in contact with us, so at the very least we will communicate this through our own channels when action is required.

[caiocfonseca1]

Thanks @nscuro