In our projects, we often rely on the OWASP Dependency-Check Maven Plugin to scan for vulnerabilities in dependencies. This tool helps us catch vulnerable packages early, allowing us to update them and keep our software secure. As one of our top three must-have Maven plugins, it’s essential for maintaining a robust development pipeline.
However, we’ve encountered this authentication error recnetly:
|
1 2 3 |
[ERROR] AnalysisException: Failed to request component-reports [ERROR] caused by DownloadFailedException: https://ossindex.sonatype.org/api/v3/component-report - Server status: 401 - Server reason: Unauthorized [ERROR] caused by HttpResponseException: status code: 401, reason phrase: Unauthorized |
This issue comes from a recent change from Sonatype OSS Index in how vulnerability data is accessed.
Let’s break it down.
What Happened?
The OWASP Dependency-Check Maven Plugin sources data on Common Vulnerabilities and Exposures (CVEs) by querying APIs from databases:
- Primary source: The National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST), which provides a comprehensive repository of known vulnerabilities.
- Supplementary sources: Including Sonatype OSS Index, which offers additional insights into open-source components.
As of September 2025, Sonatype OSS Index requires authentication for all API access to prevent abuse and ensure data integrity. This results in builds failing with messages indicating that anonymous requests are no longer allowed.
For more details, refer to the official documentation at Sonatype’s site.
Configuring the OSS Index for OWASP Dependency-Check Maven Plugin
To resolve this, obtain an API key by registering for a free account at Sonatype OSS Index. Confirm your email, sign in at the login page, and copy the API key from your settings.
To avoid personal API keys, you might want to use you team’s distribution list for the account creation. This way, every team member can request and update new keys.
Next, use an OWASP Maven plugin version of 12.x or higher (e.g., 12.1.6).
What’s left is to update your Maven configuration to include the credentials via environment variables for security.
|
1 2 3 4 |
<configuration> <ossIndexUsername>${env.OSS_INDEX_USERNAME}</ossIndexUsername> <!-- the account's email --> <ossIndexPassword>${env.OSS_INDEX_PASSWORD}</ossIndexPassword> </configuration> |
Set the username and API key as environment variables on your CI server.
Alternative: Disabling the OSS Index
If configuring authentication isn’t immediately feasible, we can temporarily disable the OSS Index as a data source:
|
1 2 3 |
<configuration> <ossindexAnalyzerEnabled>false</ossindexAnalyzerEnabled> </configuration> |
However, we should note that this limits us to only the NVD data source.
Given that OSS Index only requires a free account and provides valuable supplementary vulnerability data, we strongly recommend taking the time to configure authentication for a more secure and comprehensive analysis.
Tip: Configuring an NVD API Key for OWASP Dependency-Check Maven Plugin
While we’re optimizing our dependency-check configuration, there’s another important enhancement we can make. We may have noticed this warning in our build logs:
|
1 2 |
[WARNING] An NVD API Key was not provided - it is highly recommended to use an NVD API key as the update can take a VERY long time without an API Key |
The OWASP plugin can technically run without an NVD API key, but the performance difference is substantial.
As per NIST’s guidelines, the public rate limit is 5 requests per 30-second window, but with an API key, it jumps to 50 – that’s a 10x boost, making the scans faster.
Request an NVD API key by filling out this form, providing your organization name, email (use a shared team address, but remember: one key means shared limits). After submission, you’ll get an email to finalize it.
Once obtained, add it to your configuration like so:
|
1 2 3 |
<configuration> <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey> </configuration> |
Store the key as an environment variable (e.g., NVD_API_KEY) on your CI server.
This tweak can dramatically speed up vulnerability checks, proving that a little key goes a long way in the world of API-driven security.
Avoiding Local Dependency Checks
If distributing new credentials to all developers isn’t immediately feasible, we have a couple of strategies to consider.
Option 1: CI/CD-Only Checks
We can remove the automatic execution binding from the plugin configuration, which prevents it from running during normal local builds:
|
1 2 3 4 5 6 7 8 9 10 11 |
<plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>12.1.6</version> <configuration> <ossIndexUsername>${env.OSS_INDEX_USERNAME}</ossIndexUsername> <ossIndexPassword>${env.OSS_INDEX_PASSWORD}</ossIndexPassword> <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey> </configuration> <!-- No executions section means it won't run automatically --> </plugin> |
With this approach:
- Local developers run
./mvnw verifywithout triggering dependency checks - Our CI/CD pipeline runs a dedicated job with
./mvnw dependency-check:checkthat has the credentials configured - The pipeline fails if any vulnerabilities are detected, maintaining our security posture
Option 2: Profile-Based Activation
Alternatively, we can use Maven profiles to control when the dependency check runs:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
<profiles> <profile> <id>ci</id> <build> <plugins> <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>12.1.6</version> <configuration> <ossIndexUsername>${env.OSS_INDEX_USERNAME}</ossIndexUsername> <ossIndexPassword>${env.OSS_INDEX_PASSWORD}</ossIndexPassword> <nvdApiKey>${env.NVD_API_KEY}</nvdApiKey> </configuration> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </profile> </profiles> |
Developers can then explicitly run checks when needed with ./mvnw verify -Pci, while CI/CD always uses this profile.
Wrapping Up
The transition to authenticated access for Sonatype OSS Index is a minor inconvenience but ultimately benefits the ecosystem by ensuring sustainable service availability. By taking a few minutes to set up both OSS Index and NVD API credentials, we ensure our security tooling remains fast, reliable, and comprehensive.
The investment is minimal – just two free account registrations – but the payoff is significant: faster builds, more complete vulnerability coverage, and uninterrupted security scanning for our projects.
Joyful testing,
Philip
