Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

Sonatype OSS Index

What is SOI?

SOI stands for 'Sonatype OSS Index' and is a tool developed by Uleska to perform software composition analysis against a code repo to find vulnerable 3rd party libraries.

OSS Index works by taking your source code and running it through a tool called ORT (https://oss-review-toolkit.org/) to make an SBOM (https://owasp.org/www-community/Component_Analysis#Software_Bill-of-Materials_.28SBOM.29). The SOI tool then uses this SBOM to list the dependencies of the software and check each of them against the Sonatype OSS Index (https://ossindex.sonatype.org/) list of known issues.

Security Stage SCA (Software Composition Analysis)
Type OpenSource
Site None - created by Uleska

 

Pre-requisite

1 You'll need a Git address to scan

How do I set it up?

Using the SOI tool involves three steps:

  1. One-time setup step to access the Sonatype Index
  2. One-type configuration of a connection in Uleska for your Sonatype Index account.
  3. Adding the tool to your toolkit.

One-time setup step to access the Sonatype Index

  • To use this tool you will need a free account on Sonatype Index with an API token. If you or your organization already have one, then log on to https://ossindex.sonatype.org/ and obtain an API token
    • Once logged into the Sonatype Index, click on your user settings (beside Sign Out)
    • Scroll down to the API Token section and record your current API token, or generate a new one.

SonatypeAPI

    • Record this token for use later.

One-time configuration of a connection in Uleska for your Sonatype Index account

Now that you have an account and API token details, let's get the Uleska Platform to talk to it.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'Generic API Connection'
  • Add a label for reference when adding the connection later to the tool adaptor.
  • Add the URL "https://ossindex.sonatype.org"
  • Set the 'Tenant' to be your e-mail address used for the account on Sonatype Index.
  • Set the 'Access Token' to your API key retrieved.

Untitled (9)

  • Click 'Save'

Adding the tool to your toolkit

Add the SOI tool to your set of security tests. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.

VeracodeEditStage

  • Ensure that the version's 'Git Address' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.

SASTSetup-1

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'SOI' tool.

SOISetup

  • Click on the blue cog to set the connection and retry settings for the SOI adaptor.
    • Set the 'Connection name' to the connection you added before.
    • Set the 'Timeout' to the time, in minutes, the SOI adaptor will wait to retrieve all dependency vulnerability information from the Sonatype Index. (essentially this is an HTTP timeout).
    • Set the 'Max Retries' to the number of times the SOI adaptor will retry attempts to retrieve dependency vulnerability information from the Sonatype Index.
  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the 'SOI' tool will be included in the test run and any results added to your vulnerabilities list.

Notes

None.