You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Related to #4533.
The CLI and Gradle clients offer to set OSS Index user/pw. For the Maven client only the indirection through server ID and settings.xml is currently supported.
Describe the solution you'd like
For Maven, allow to either set user/pw or server ID.
I is obvious that using the server ID is usually a safer setup. However, this assumes you have access to or control over the settings.xml. This is not always the case. Example: corporate CI infrastructure with Maven settings controlled by IT.
You can still include the OSS Index for ODC safely in your pipeline if you do something like mvn -U org.owasp:dependency-check-maven:$ODC_VERSION:aggregate -DossIndexUser=$OSS_INDEX_USER ... . The actual value for $OSS_INDEX_USER would be stored as CI env variable with your project (e.g. in GitLab).
Describe alternatives you've considered
If the settings.xml isn't read-only, the pipeline might try to alter it prior to running ODC.
Is your feature request related to a problem? Please describe.
Related to #4533.
The CLI and Gradle clients offer to set OSS Index user/pw. For the Maven client only the indirection through server ID and
settings.xmlis currently supported.Describe the solution you'd like
For Maven, allow to either set user/pw or server ID.
I is obvious that using the server ID is usually a safer setup. However, this assumes you have access to or control over the
settings.xml. This is not always the case. Example: corporate CI infrastructure with Maven settings controlled by IT.You can still include the OSS Index for ODC safely in your pipeline if you do something like
mvn -U org.owasp:dependency-check-maven:$ODC_VERSION:aggregate -DossIndexUser=$OSS_INDEX_USER .... The actual value for$OSS_INDEX_USERwould be stored as CI env variable with your project (e.g. in GitLab).Describe alternatives you've considered
If the
settings.xmlisn't read-only, the pipeline might try to alter it prior to running ODC.Additional context
@jeremylong voiced potential "endorsement" for this feature here #4533 (comment)
The text was updated successfully, but these errors were encountered: