feat: Allow configuring OSS Index user/pw directly (#7640)

Author: marcelstoer

maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -765,13 +765,34 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     private String ossindexAnalyzerUrl;
 
     /**
-     * The id of a server defined in the settings.xml that configures the
-     * credentials (username and password) for a OSS Index service.
+     * The id of a server defined in the settings.xml to authenticate Sonatype
+     * OSS Index requests and profit from higher rate limits. Provide the OSS
+     * account email address as username and password or API token as password.
      */
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "ossIndexServerId")
     private String ossIndexServerId;
 
+    /**
+     * OSS account email address as an alternative to the indirection through
+     * the ossIndexServerId (see above). Both ossIndexUsername and
+     * ossIndexPassword must be set to use this approach instead of the server
+     * ID.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "ossIndexUsername")
+    private String ossIndexUsername;
+
+    /**
+     * OSS password or API token as an alternative to the indirection through
+     * the ossIndexServerId (see above). Both ossIndexUsername and
+     * ossIndexPassword must be set to use this approach instead of the server
+     * ID.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "ossIndexPassword")
+    private String ossIndexPassword;
+
     /**
      * Whether we should only warn about Sonatype OSS Index remote errors
      * instead of failing the goal completely.
@@ -2427,7 +2448,12 @@ protected void populateSettings() throws MojoFailureException, MojoExecutionExce
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_RESOLVED_ENABLED, swiftPackageResolvedAnalyzerEnabled);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_ENABLED, ossindexAnalyzerEnabled);
         settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_URL, ossindexAnalyzerUrl);
-        configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD);
+        if (StringUtils.isEmpty(ossIndexUsername) || StringUtils.isEmpty(ossIndexPassword)) {
+            configureServerCredentials(ossIndexServerId, Settings.KEYS.ANALYZER_OSSINDEX_USER, Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD);
+        } else {
+            settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_USER, ossIndexUsername);
+            settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_OSSINDEX_PASSWORD, ossIndexPassword);
+        }
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_USE_CACHE, ossindexAnalyzerUseCache);
         settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OSSINDEX_WARN_ONLY_ON_REMOTE_ERRORS, ossIndexWarnOnlyOnRemoteErrors);
         if (retirejs != null) {
@@ -2517,8 +2543,8 @@ protected void populateSettings() throws MojoFailureException, MojoExecutionExce
      * <p>
      * When a serverId is given, then its values are used instead of the less secure direct values.<br />
      * A serverId with username/password will fill the `userKey` and `passwordKey` settings for Basic Auth. A serverId with only password
-     * filled will fill the `tokenKey` fro Bearer Auth.<br/>
-     * In absence of the serverId any non-null value will be transferred to the settings.
+     * filled will fill the `tokenKey` from Bearer Auth.<br/>
+     * In absence of the serverId, any non-null value will be transferred to the settings.
      *
      * @param serverId      The serverId specified for the connection or {@code null}
      * @param usernameValue The username specified for the connection or {@code null}

maven/src/site/markdown/configuration.md

@@ -64,6 +64,8 @@ knownExploitedUrl                   | Sets URL to the CISA Known Exploited Vulne
 ossindexAnalyzerEnabled             | Sets whether the [OSS Index Analyzer](../analyzers/oss-index-analyzer.html) will be enabled. This analyzer requires an internet connection.         | true
 ossindexAnalyzerUseCache            | Sets whether the OSS Index Analyzer will cache results. Cached results expire after 24 hours.                                                       | true
 ossIndexServerId                    | The id of [a server](https://maven.apache.org/settings.html#Servers) defined in the `settings.xml` to authenticate Sonatype OSS Index requests and profit from higher rate limits. Provide the OSS account email address as `username` and password or API token as `password`. |  
+ossIndexUsername                    | OSS account email address as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. |  
+ossIndexPassword                    | OSS password or API token as an alternative to the indirection through the `ossIndexServerId` (see above). Both `ossIndexUsername` and `ossIndexPassword` must be set to use this approach instead of the server ID. |  
 ossindexAnalyzerUrl                 | The OSS Index server URL | https://ossindex.sonatype.org
 ossIndexWarnOnlyOnRemoteErrors      | Sets whether remote errors from the OSS Index (e.g. BAD GATEWAY, RATE LIMIT EXCEEDED) will result in warnings only instead of failing execution.    | false
 nexusAnalyzerEnabled                | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true