Integrate with Sonatype OSS Index for vulnerability reporting

[sschuberth]

See https://ossindex.sonatype.org/ and related resources:

• https://ossindex.sonatype.org/integrations
• https://ossindex.sonatype.org/rest

[sschuberth]

Somewhat depends on https://github.com/sonatype/ossindex-public/issues/7 and https://github.com/sonatype/ossindex-public/pull/6.

[sschuberth]

FYI, Tidelift now also integrates with Sonatype OSS Index.

[sschuberth]

Also see https://github.com/dotanuki-labs/gradle-bodyguard.

[sschuberth]

There might be some issues with their terms of use that could prevent us from integration:

you may access and use the Materials solely for your internal use.

you may not [...] Analyze or use the Offering in any way that is or may be competitive with Company.

you may not [...] incorporate any portion of the Offering into any product or service [...]

you may not [...] Systematically download and store any or all of the Offering’s content.

you may not [use a] retrieval application or other manual or automatic device to retrieve, index, “scrape,” “data mine” or otherwise gather the Offering’s content [...]

[woznik]

There are tools as Dependency Check, Track, MixeWay, Steady (former Vulas) which build a list of vulnerabilities with a possibility to access oss index sonatype db for free user's account. How they cope with these constrains?

[sschuberth]

How they cope with these constrains?

That you'd need to ask the makers of those tools 😉 My guess it that they only provide the integration, but do not use it themselves, or they have a custom deal. Of course ORT could do the same, but currently I do not feel like implementing something that we would not be able to use. And I also do not feel like encouraging our users to use a service that sounds like free on the outside, but turns out to be unusable freely when looking at the inside.

[sschuberth]

I just learned that all data available through OSS Index is 30 days delayed. Also taking in account the limitations mentioned above, I don't believe it's meaningful for any production system to integrate with OSS Index, so I'm closing this.

[brianf]

The understanding that everything is 30 day delayed is not correct. But either way, NexusIQ is a commercial tool, so if it makes sense for people to use that as an advisor given its data has even more commercial restrictions, why wouldn't OSSIndex make sense. A few of our PMs have reached out separately to discuss already, so perhaps we can close that loop there.

[sschuberth]

The understanding that everything is 30 day delayed is not correct.

Interesting, as that statement was more or less a quote of what one of your account executives told us this week 😉

why wouldn't OSSIndex make sense.

Please see above:

you may access and use the Materials solely for your internal use.

... which means, if we'd e.g. want to demonstrate on a conference, like FOSDEM, how an ORT Advisor report based on OSS Index data would look like, that would not be possible.

you may not [...] Analyze or use the Offering in any way that is or may be competitive with Company.

... which means you may not use OSS Index data to evaluate its quality against other (commercial) providers.

you may not [...] incorporate any portion of the Offering into any product or service [...]

... which could mean that an integration into ORT is not desired / possible.

you may not [...] Systematically download and store any or all of the Offering’s content.

... which means you're not allowed to cache OSS Index data e.g. for performance reasons.

you may not [use a] retrieval application or other manual or automatic device to retrieve, index, “scrape,” “data mine” or otherwise gather the Offering’s content [...]

... which means integration into projects like VulnerableCode is not possible, as they mirror all the data (also see @pombredanne's comment here).

A few of our PMs have reached out separately to discuss already, so perhaps we can close that loop there.

Yes, I'll happily discuss the matter with them next week in the hope to find a solution.

[sschuberth]

Reopening this as there meanwhile was a PR started from Sonatype to integrate with OSS Index.

[sschuberth]

Maybe it makes sense to wait a bit more and make the integration work with Sonatype Lift right away.

[sschuberth]

FYI, ORT is now also officially listed at https://ossindex.sonatype.org/integrations.