Fix Sonatype OSS Index Errors for OWASP Maven Plugin

Last Updated:  October 3, 2025 | Published: October 3, 2025

In our projects, we often rely on the OWASP Dependency-Check Maven Plugin to scan for vulnerabilities in dependencies. This tool helps us catch vulnerable packages early, allowing us to update them and keep our software secure. As one of our top three must-have Maven plugins, it’s essential for maintaining a robust development pipeline.

However, we’ve encountered this authentication error recnetly:

This issue comes from a recent change from Sonatype OSS Index in how vulnerability data is accessed.

Let’s break it down.

What Happened?

The OWASP Dependency-Check Maven Plugin sources data on Common Vulnerabilities and Exposures (CVEs) by querying APIs from databases:

  • Primary source: The National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST), which provides a comprehensive repository of known vulnerabilities.
  • Supplementary sources: Including Sonatype OSS Index, which offers additional insights into open-source components.

As of September 2025, Sonatype OSS Index requires authentication for all API access to prevent abuse and ensure data integrity. This results in builds failing with messages indicating that anonymous requests are no longer allowed.

For more details, refer to the official documentation at Sonatype’s site.

Configuring the OSS Index for OWASP Dependency-Check Maven Plugin

To resolve this, obtain an API key by registering for a free account at Sonatype OSS Index. Confirm your email, sign in at the login page, and copy the API key from your settings.

To avoid personal API keys, you might want to use you team’s distribution list for the account creation. This way, every team member can request and update new keys.

Next, use an OWASP Maven plugin version of 12.x or higher (e.g., 12.1.6).

What’s left is to update your Maven configuration to include the credentials via environment variables for security.

Set the username and API key as environment variables on your CI server.

Alternative: Disabling the OSS Index

If configuring authentication isn’t immediately feasible, we can temporarily disable the OSS Index as a data source:

However, we should note that this limits us to only the NVD data source.

Given that OSS Index only requires a free account and provides valuable supplementary vulnerability data, we strongly recommend taking the time to configure authentication for a more secure and comprehensive analysis.

Tip: Configuring an NVD API Key for OWASP Dependency-Check Maven Plugin

While we’re optimizing our dependency-check configuration, there’s another important enhancement we can make. We may have noticed this warning in our build logs:

The OWASP plugin can technically run without an NVD API key, but the performance difference is substantial.

As per NIST’s guidelines, the public rate limit is 5 requests per 30-second window, but with an API key, it jumps to 50 – that’s a 10x boost, making the scans faster.

Request an NVD API key by filling out this form, providing your organization name, email (use a shared team address, but remember: one key means shared limits). After submission, you’ll get an email to finalize it.

Once obtained, add it to your configuration like so:

Store the key as an environment variable (e.g., NVD_API_KEY) on your CI server.

This tweak can dramatically speed up vulnerability checks, proving that a little key goes a long way in the world of API-driven security.

Avoiding Local Dependency Checks

If distributing new credentials to all developers isn’t immediately feasible, we have a couple of strategies to consider.

Option 1: CI/CD-Only Checks

We can remove the automatic execution binding from the plugin configuration, which prevents it from running during normal local builds:

With this approach:

  • Local developers run ./mvnw verify without triggering dependency checks
  • Our CI/CD pipeline runs a dedicated job with ./mvnw dependency-check:check that has the credentials configured
  • The pipeline fails if any vulnerabilities are detected, maintaining our security posture

Option 2: Profile-Based Activation

Alternatively, we can use Maven profiles to control when the dependency check runs:

Developers can then explicitly run checks when needed with ./mvnw verify -Pci, while CI/CD always uses this profile.

Wrapping Up

The transition to authenticated access for Sonatype OSS Index is a minor inconvenience but ultimately benefits the ecosystem by ensuring sustainable service availability. By taking a few minutes to set up both OSS Index and NVD API credentials, we ensure our security tooling remains fast, reliable, and comprehensive.

The investment is minimal – just two free account registrations – but the payoff is significant: faster builds, more complete vulnerability coverage, and uninterrupted security scanning for our projects.

Joyful testing,

Philip

>