fix: Disable OSS Index if its credentials are missing#7963
Merged
jeremylong merged 2 commits intodependency-check:mainfrom Sep 24, 2025
Merged
Conversation
boring-cyborg
bot
added
core
r4fterman
reviewed
Sep 24, 2025
core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
Outdated
Show resolved
Hide resolved
nMoncho
force-pushed
the
fix/disable_oss_index_on_missing_creds
branch
from
3d70d79 to
e0d9151
Compare
|
I hope this fix will be merged soon 🤞 |
marcelstoer
suggested changes
Sep 24, 2025
core/src/main/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzer.java
Outdated
Show resolved
Hide resolved
core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
Outdated
Show resolved
Hide resolved
r4fterman
reviewed
Sep 24, 2025
core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
Show resolved
Hide resolved
nMoncho
force-pushed
the
fix/disable_oss_index_on_missing_creds
branch
from
e0d9151 to
f42ddfb
Compare
jeremylong
reviewed
Sep 24, 2025
core/src/test/java/org/owasp/dependencycheck/analyzer/OssIndexAnalyzerTest.java
Outdated
Show resolved
Hide resolved
Collaborator
|
This is a better approach than what I had half completed yesterday - Thanks for the PR! |
2 tasks
kwin
added a commit
to apache/jackrabbit-filevault
that referenced
this pull request
Sep 25, 2025
Update dependency-check to 12.1.6 to include dependency-check/DependencyCheck#7963.
|
So, using https://github.com/dependency-check/DependencyCheck/releases/tag/v12.1.6 there is no way to enforce that credentials are passed? I mean, having an error instead of auto-disable the feature? I want my dep-check to be consistent so I don't want that a job can arbitrary omit the credentials to skip the OSS index check. Is there a way? |
Collaborator
|
@M4mu5qu3 No, with the current implementation, there is no easy way to identify when the credentials were not supplied within the core dependency-check code. |
kwin
added a commit
to Netcentric/accesscontroltool
that referenced
this pull request
Oct 2, 2025
kwin
added a commit
to Netcentric/accesscontroltool
that referenced
this pull request
Oct 2, 2025
joerghoh
pushed a commit
to apache/jackrabbit-filevault
that referenced
this pull request
Oct 8, 2025
Update dependency-check to 12.1.6 to include dependency-check/DependencyCheck#7963.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of Change
This disables the OSS Index analyzer if no credentials are provided. Feel free to drop this PR if it doesn't make sense.
Related issues
Relates to #7920
Have test cases been added to cover the new functionality?
yes