lbillinghamwrk
commented
1 month ago AIUI GCloud buckets are accessible with Bearer tokens (GCP docs).
e.g. curl -H "Authorization: Bearer ${GCLOUD_TOKEN}" https://storage.googleapis.com/some/storage/path works.
However, the NVD auth available in DependencyCheck is Basic auth akin to curl -H "Authorization: Basic ${GCLOUD_TOKEN}" https://storage.googleapis.com/some/storage/path. This doesn't work with a GCP bucket.
[edit] If I'm thinking along the right lines, this relates to https://github.com/jeremylong/DependencyCheck/issues/5783 [edit] (I'm not sure that I have enough Java knowledge to spin up a PR)
So maybe it is possible to add a public void addTokenAuthentication(...) in URLConnectionFactory.java
and consume that method in HttpResourceConnection::obtainConnection in HttpResourceConnection.java
I've no idea what modifications to
if (userKey != null && passwordKey != null) {
connFactory.addBasicAuthentication(conn, userKey, passwordKey);
}we might need.
Adding tokenKey and doing all the bookkeeping checks between tokenKey, userKey, passwordKey sounds fiddly
Hello,
I have downloaded the NVD data using vulnz and put it on a google cloud storage bucket at this location:
https://storage.googleapis.com/mydummybucket/nvd-cacheThen am trying to use this bucket url for maven command like this:
Now if I keep the bucket open for public access, it's fine and maven is able to download the data from the bucket but if I make the bucket private and try to use it via a service account key, I don't know how to do it.
I am able to download the data using
gcloudcommands after making the bucket private and using the service account key but ofcoursemvnis not able to use the same mechanism as gcloud for authentication.I tried to find some option here but couldn't find any.
Can someone please help me what would be the best way to achieve this?