Open ankurga opened 1 month ago
AIUI GCloud buckets are accessible with Bearer
tokens (GCP docs).
e.g. curl -H "Authorization: Bearer ${GCLOUD_TOKEN}" https://storage.googleapis.com/some/storage/path
works.
However, the NVD auth available in DependencyCheck
is Basic
auth akin to curl -H "Authorization: Basic ${GCLOUD_TOKEN}" https://storage.googleapis.com/some/storage/path
. This doesn't work with a GCP bucket.
[edit] If I'm thinking along the right lines, this relates to https://github.com/jeremylong/DependencyCheck/issues/5783 [edit] (I'm not sure that I have enough Java knowledge to spin up a PR)
So maybe it is possible to add a public void addTokenAuthentication(...)
in URLConnectionFactory.java
and consume that method in HttpResourceConnection::obtainConnection
in HttpResourceConnection.java
I've no idea what modifications to
if (userKey != null && passwordKey != null) {
connFactory.addBasicAuthentication(conn, userKey, passwordKey);
}
we might need.
Adding tokenKey
and doing all the bookkeeping checks between tokenKey, userKey, passwordKey
sounds fiddly
Hello,
I have downloaded the NVD data using vulnz and put it on a google cloud storage bucket at this location:
https://storage.googleapis.com/mydummybucket/nvd-cache
Then am trying to use this bucket url for maven command like this:
Now if I keep the bucket open for public access, it's fine and maven is able to download the data from the bucket but if I make the bucket private and try to use it via a service account key, I don't know how to do it.
I am able to download the data using
gcloud
commands after making the bucket private and using the service account key but ofcoursemvn
is not able to use the same mechanism as gcloud for authentication.I tried to find some option here but couldn't find any.
Can someone please help me what would be the best way to achieve this?