Integrate Sonatype OSS Index in CI/CD


What is SOI?

SOI stands for 'Sonatype OSS Index' and is a tool developed by Uleska to perform software composition analysis against a code repo to find vulnerable 3rd party libraries.

OSS Index works by taking your source code and running it through a tool called ORT ( to make an SBOM ( The SOI tool then uses this SBOM to list the dependencies of the software and check each of them against the Sonatype OSS Index ( list of known issues.

Security Stage SCA (Software Composition Analysis)
Type OpenSource
Site None - created by Uleska



1 You'll need a Git address to scan

How do I set it up with Uleska?

Using the SOI tool involves three steps:

  1. One-time setup step to access the Sonatype Index
  2. One-type configuration of a connection in Uleska for your Sonatype Index account.
  3. Adding the tool to your toolkit.

One-time setup step to access the Sonatype Index

  • To use this tool you will need a free account on Sonatype Index with an API token. If you or your organization already have one, then log on to and obtain an API token
    • Once logged into the Sonatype Index, click on your user settings (beside Sign Out)
    • Scroll down to the API Token section and record your current API token, or generate a new one.


    • Record this token for use later.

One-time configuration of a connection in Uleska for your Sonatype Index account

Now that you have an account and API token details, let's get the Uleska Platform to talk to it.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'Generic API Connection'
  • Add a label for reference when adding the connection later to the tool adaptor.
  • Add the URL ""
  • Set the 'Tenant' to be your e-mail address used for the account on Sonatype Index.
  • Set the 'Access Token' to your API key retrieved.

Untitled (9)

  • Click 'Save'

Adding the tool to your toolkit

Add the SOI tool to your set of security tests. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.


  • Ensure that the version's 'Git Address' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.


  • Click 'Save'

  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'Sonatype OSS Index' as a tool.


  • Click on the blue cog to set the connection and retry settings for the SOI adaptor.
    • Set the 'Connection name' to the connection you added before.
    • Set the 'Timeout' to the time, in minutes, the SOI adaptor will wait to retrieve all dependency vulnerability information from the Sonatype Index. (essentially this is an HTTP timeout).
    • Set the 'Max Retries' to the number of times the SOI adaptor will retry attempts to retrieve dependency vulnerability information from the Sonatype Index.
  • Click Save.

Now any time you click 'Test Now' with this ToolKit, or make a request over the Uleska API or CLI with this ToolKit, the 'SOI' tool will be included in the test run and any results added to your vulnerabilities list.