-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add hostedSuppressionsAuthHeader option to provide credentials for the hosted suppression file #7268
Conversation
feat: add hostedSuppressionsAuthHeader option
refactor error messages
add javadoc for CredentialHelper
Testing with a server requiring either no authentication, a basic or a bearer auth:
|
@ftiercelin Looks like our efforts overlapped. I've implemented authentication for the hosted suppressions in the context of #5387 and never spotted #5783 otherwise I would've linked that as well. Configuration is currently possible only via dependency-check properties file (since the merge of #6949), but addition of user/password configuration options were foreseen for the various integrations in the near future (I had started work on updating (and meanwhile sanitizing) the Ant tasks to add in the missing authentication settings). Do you see a strong need for adding Bearer authentications in the mix? Currently a bit short in time, but hope to do a more in-depth review towards the end of the year or very early in the new year. Regarding the general approach, I think that (contrary to the suggestion by @jeremylong in ticket #5783) it is better to have explicit configuration for user/password (Basic) or bearer token by separate configuration properties in line with what was already there for the Artifactory Analyzer. No sense in adding logic to reverse-parse the token in order to supply the appropriate credentials to the apache HTTPClient (#7255 is pending merge which is making authentication pre-emptive to avoid the round-trip of a HTTP 401 for a known-protected server and solve the HTTP-302 based authentication flow that appears to happen in Azure DevOps) |
@aikebah thanks for the review. no point doing the same job twice. if you are planning to something similar, I have no heartburns about it, let's close this one. |
no longer required, let's first finish the httpclient5 |
@ftiercelin exposing and enabling bearer auth (and addition of configurability for the hosted suppressions in the various integrations) only needs the finishing touches of integrating it into the Downloader If you'd like to chime in feel free to take a look at https://github.com/jeremylong/DependencyCheck/tree/feat/hc5-extending-auth, it's a branch that's developed on top of the fix/httpclient5 branch that I hope to finish soon. |
Description of Change
add hostedSuppressionsAuthHeader option to provide credentials for the hosted suppression file in the form of the auth header. e.g. 'Basic dXNlcjpwYXNzd29yZA==' or 'Bearer xxxxxxxxxxxxxxxxxxxxxxxx'
Related issues
Have test cases been added to cover the new functionality?
yes: see org.owasp.dependencycheck.utils.CredentialHelperTest