With using a private Nuget Feed (Azure DevOps) we get an 401 Unauthorized error

[thomashauser]

We use create the BOM file of our .NET projects by using cyclonedx-dotnet. Because of we publish now private nuget packages to our own feed, we changed the nuget.config to use the custom feed

docker run --rm -v c:\source\repos\symbio-base:/home/docker/data/ cyclonedx/cyclonedx-dotnet /home/docker/data/Symbio.Base.sln -o /home/docker/data/src/bom/dotnet/ -dgl -us test -usp MY_AUTH_TOKEN

MY_AUTH_TOKEN is a token from me (project collection admin) and has full access. Only to be sure, that is not an authentication problem. In the Azure DevOps pipeline by using $(System.AccessToken) its not running, too. But we use this connection already for the build stage, there the nuget restore is working.

error NU1301: Unable to load the service index for source https://pkgs.dev.azure.com/COMPANY/_packaging/FEEDNAME/nuget/v3/index.json.
/usr/share/dotnet/sdk/8.0.100/NuGet.targets(156,5): error : Unable to load the service index for source https://pkgs.dev.azure.com/COMPANY/_packaging/FEEDNAME/nuget/v3/index.json. 
error :   Response status code does not indicate success: 401 (Unauthorized). 

[mtsfoni]

I have no answer for you offhand without reproducing some parts of the setup.

As a workaround, you could try to first add the feed to nugget via dotnet nuget add, and then call cycloneDX without us/usp.
This might help further diagnosing where the issue stems from.

[mtsfoni]

docker run --rm -v c:\source\repos\symbio-base:/home/docker/data/ cyclonedx/cyclonedx-dotnet /home/docker/data/Symbio.Base.sln -o /home/docker/data/src/bom/dotnet/ -dgl -us test -usp MY_AUTH_TOKEN

I realize there is no -u parameter.
The username and password are only used if there is a value for -u set

https://github.com/CycloneDX/cyclonedx-dotnet/blob/master/CycloneDX/Models/NugetInputModel.cs#L22C6-L36C10

Something like this should work (not sure about the exact path -u needs):
docker run --rm -v c:\source\repos\symbio-base:/home/docker/data/ cyclonedx/cyclonedx-dotnet /home/docker/data/Symbio.Base.sln -o /home/docker/data/src/bom/dotnet/ -dgl -u https://pkgs.dev.azure.com/COMPANY/_packaging/FEEDNAME/nuget/v3/ -us test -usp MY_AUTH_TOKEN

A short feedback if your issue is solved is welcome.

[thomashauser]

We also tried using the "-u" parameter, but without success. The following fix solves our problem for the time being, even if it is not necessarily the best solution:

Write-Host "Run cyclonedx-dotnet"
dotnet nuget add source https://pkgs.dev.azure.com/COMPANY/_packaging/FEEDNAME/nuget/v3/index.json -n XX --configfile .${{ parameters.solutionRoot }}/nuget.config -p $env:PAT -u test --store-password-in-clear-text --valid-authentication-types basic,negotiate
dotnet nuget update source XX -s https://pkgs.dev.azure.com/COMPANY/_packaging/FEEDNAME/nuget/v3/index.json --configfile .${{ parameters.solutionRoot }}/nuget.config -p $env:PAT -u test --store-password-in-clear-text --valid-authentication-types basic,negotiate
New-Item -Path ./src/bom -ItemType Directory -Force
$process = Start-Process `
  -FilePath docker `
  -ArgumentList "run --rm -v $(Get-Location | select -ExpandProperty Path)${{ parameters.solutionRoot }}:/home/docker/data${{ parameters.solutionRoot }} cyclonedx/cyclonedx-dotnet /home/docker/data${{ parameters.solutionRoot }}/${{ parameters.solutionName }} -o /home/docker/data/src/bom/dotnet/ -dgl" `
  -NoNewWindow `
  -Wait
Write-Host "DONE with return code $($process.ExitCode)"

[mtsfoni]

I tried to generate a NuGet-Apikey in Nexus Repository and connect with it. I also got a status 401 then.

I found this issue at NuGet, explaining they don't use the apikeys for authentication when reading data:
NuGet/Home#4049 (comment)

That could be the issue here. We just use those NuGet packages.