diff --git a/README.md b/README.md index 5ee1f49276a..fd7d7160d9f 100644 --- a/README.md +++ b/README.md @@ -46,17 +46,19 @@ The NVD API has enforced rate limits. If you are using a single API KEY and multiple builds occur you could hit the rate limit and receive 403 errors. In a CI environment one must use a caching strategy. -### Sonatype OSS Index API Token Now Required for usage +### Sonatype OSS Index mandatory authentication and migration to Sonatype Guide -Since September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a -subsequent migration to Sonatype Guide began. +In September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a +subsequent migration to Sonatype Guide began, kicking off a transition to use of Sonatype Guide API Tokens that are +planned to replace the legacy OSS Index API keys/tokens before the end of 2026. -If you wish to use Sonatype OSS Index you must configure Dependency-Check and consider implications for migration to -Sonatype Guide. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html) -for more information. +Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation +for the CLI, Maven, Gradle, or Ant integrations on how to set the analyzer credentials for use of a Sonatype Guide token +or legacy OSS Index API key. -Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation -for the cli, maven, gradle, or ant integrations on how to set the OSS Index credentials. +If you wish to use Sonatype OSS Index (via Guide) you must configure Dependency-Check and consider implications for the +migration to Sonatype Guide; whose commercial/usage model has changed. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html) +for more information. ### Gradle build Environment diff --git a/src/site/markdown/analyzers/oss-index-analyzer.md b/src/site/markdown/analyzers/oss-index-analyzer.md index 473300dbbc2..b6de189cd8e 100644 --- a/src/site/markdown/analyzers/oss-index-analyzer.md +++ b/src/site/markdown/analyzers/oss-index-analyzer.md @@ -22,9 +22,8 @@ During this migration users will need to make some minor changes. - login with OSS Index account credentials to the Sonatype Guide platform to validate your account has been migrated - migrate OSS Index analyzer base URL to Sonatype Guide platform - override Dependency-Check configuration OR - - upgrade to Dependency-Check `12.2.1`+ (if using defaults) - - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28 2026 onwards) - - consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load + - upgrade to Dependency-Check `12.2.2`+ (if using defaults) + - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28, 2026 onwards) - _Before_ December 31, 2026 - migrate to using a Sonatype Guide API token for authentication rather than the legacy OSS Index API token - For **new** users @@ -35,3 +34,15 @@ For more details on this migration see: - [Sonatype OSS Index product page](https://www.sonatype.com/products/sonatype-guide/oss-index-users) - [Sonatype Migration timeline](https://help.sonatype.com/en/oss-index-migration-to-sonatype-guide.html) - [Using Sonatype Guide personal access tokens for OSS Index API](https://help.sonatype.com/en/using-guide-personal-access-tokens-with-oss-index-api-integrations.html) + +### Managing Sonatype Guide credit usage + +In contrast to the earlier completely free OSS Index solution, Sonatype Guide gives a limited number of credits on free +accounts; and effectively charges per component report. You can review your credit usage in your Sonatype Guide account. + +To reduce your credit usage: +- consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load +- consider retaining OSS Index cache entries longer by extending the analyzer's `validForHours` configuration setting beyond the 24-hour default + - extending cache time, will reduce credit usage at the cost of slower notification about potential new vulnerabilities +- consider reducing frequency of running OSS Index analysis on builds + - for example, you may want to disable OSS Index analysis on local dev or per-commit/merge CI builds, and enable only for a daily or weekly scheduled build