From bebdfc9b59537859d77a399653e6d7a08ed836b8 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 5 May 2026 17:04:54 +0800
Subject: [PATCH 1/3] docs: clarify some Sonatype Guide OSS Index suggestions

Extract out the tips for managing Sonatype Guide credit usage.

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 .../markdown/analyzers/oss-index-analyzer.md    | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/src/site/markdown/analyzers/oss-index-analyzer.md b/src/site/markdown/analyzers/oss-index-analyzer.md
index 473300dbbc2..b6de189cd8e 100644
--- a/src/site/markdown/analyzers/oss-index-analyzer.md
+++ b/src/site/markdown/analyzers/oss-index-analyzer.md
@@ -22,9 +22,8 @@ During this migration users will need to make some minor changes.
     - login with OSS Index account credentials to the Sonatype Guide platform to validate your account has been migrated
     - migrate OSS Index analyzer base URL to Sonatype Guide platform
       - override Dependency-Check configuration OR
-      - upgrade to Dependency-Check `12.2.1`+ (if using defaults)
-    - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28 2026 onwards)
-      - consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load 
+      - upgrade to Dependency-Check `12.2.2`+ (if using defaults)
+    - review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28, 2026 onwards)
   - _Before_ December 31, 2026 
     - migrate to using a Sonatype Guide API token for authentication rather than the legacy OSS Index API token
 - For **new** users
@@ -35,3 +34,15 @@ For more details on this migration see:
 - [Sonatype OSS Index product page](https://www.sonatype.com/products/sonatype-guide/oss-index-users)
 - [Sonatype Migration timeline](https://help.sonatype.com/en/oss-index-migration-to-sonatype-guide.html)
 - [Using Sonatype Guide personal access tokens for OSS Index API](https://help.sonatype.com/en/using-guide-personal-access-tokens-with-oss-index-api-integrations.html)
+
+### Managing Sonatype Guide credit usage
+
+In contrast to the earlier completely free OSS Index solution, Sonatype Guide gives a limited number of credits on free 
+accounts; and effectively charges per component report. You can review your credit usage in your Sonatype Guide account.
+
+To reduce your credit usage:
+- consider [cache/restore of Dependency-Check's data directory](../data/cacheh2.md) between runs to retain the OSS Index cache, and reduce API load
+- consider retaining OSS Index cache entries longer by extending the analyzer's `validForHours` configuration setting beyond the 24-hour default
+  - extending cache time, will reduce credit usage at the cost of slower notification about potential new vulnerabilities
+- consider reducing frequency of running OSS Index analysis on builds
+  - for example, you may want to disable OSS Index analysis on local dev or per-commit/merge CI builds, and enable only for a daily or weekly scheduled build

From 993db77cfdb3c9fe575d6f08c236ff37ed2e4955 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Tue, 5 May 2026 17:12:08 +0800
Subject: [PATCH 2/3] docs: clarify Sonatype Guide status in README

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
---
 README.md | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 5ee1f49276a..ed68d4d6075 100644
--- a/README.md
+++ b/README.md
@@ -46,17 +46,19 @@ The NVD API has enforced rate limits. If you are using a single API KEY and
 multiple builds occur you could hit the rate limit and receive 403 errors. In
 a CI environment one must use a caching strategy.
 
-### Sonatype OSS Index API Token Now Required for usage
+### Sonatype OSS Index mandatory authentication and migration to Sonatype Guide
 
-Since September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
-subsequent migration to Sonatype Guide began.
+In September 2025 Sonatype OSS Index started enforcing use of API tokens for authentication. In April 2026 a
+subsequent migration to Sonatype Guide began, kicking off a transition to use of Sonatype Guide API Tokens that are
+planned to replace the legacy OSS Index API keys/tokens before the end of 2026.
 
-If you wish to use Sonatype OSS Index you must configure Dependency-Check and consider implications for migration to 
-Sonatype Guide. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
-for more information.
+Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
+for the cli, maven, gradle, or ant integrations on how to set the analyzer credentials for use of a Sonatype Guide token
+or legacy OSS Index API key.
 
-Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation 
-for the cli, maven, gradle, or ant integrations on how to set the OSS Index credentials.
+If you wish to use Sonatype OSS Index (via Guide) you must configure Dependency-Check and consider implications for the
+migration to Sonatype Guide; whose commercial/usage model has changed. See the [analyzer documentation](https://dependency-check.github.io/DependencyCheck/analyzers/oss-index-analyzer.html)
+for more information.
 
 ### Gradle build Environment
 

From 62e876afd56b0ac0818c2cb81857c6220017b7f5 Mon Sep 17 00:00:00 2001
From: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
Date: Mon, 11 May 2026 19:13:06 +0800
Subject: [PATCH 3/3] docs: apply capitalization suggestion from @marcelstoer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Marcel Stör <marcelstoer@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ed68d4d6075..fd7d7160d9f 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ subsequent migration to Sonatype Guide began, kicking off a transition to use of
 planned to replace the legacy OSS Index API keys/tokens before the end of 2026.
 
 Without credentials, Dependency Check will **automatically disable the OSS Index analyzer**. Please see the documentation
-for the cli, maven, gradle, or ant integrations on how to set the analyzer credentials for use of a Sonatype Guide token
+for the CLI, Maven, Gradle, or Ant integrations on how to set the analyzer credentials for use of a Sonatype Guide token
 or legacy OSS Index API key.
 
 If you wish to use Sonatype OSS Index (via Guide) you must configure Dependency-Check and consider implications for the