Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for private package repositories #1687

Merged
merged 2 commits into from Jun 7, 2022
Merged

Add support for private package repositories #1687

merged 2 commits into from Jun 7, 2022

Conversation

AbdelHajou
Copy link
Contributor

@AbdelHajou AbdelHajou commented Jun 5, 2022
edited

This PR adds support for adding private package repositories that require Basic authentication. Dependency-Track users can now specify a username and password when adding an internal package repository. The username and password will then be added to the Authorization header for every request to a private package repository.

Repository passwords are encrypted using Alpine's DataEncryption module. After the user has set the password, it will only be decrypted right before making a request to a package repository. Users can not read/edit a repository password, it can only be overwritten.

I've mainly tested this feature using a private Azure Artifacts NuGet repository. While testing, I ran into two other issues:

  1. The performVersionCheck tried to retrieve the latest version from NuGet by getting the last element in the versions array. However, Azure Artifacts does not sort this array like NuGet.org does. I changed the method to find the latest version using version comparison.
  2. The date format performLastPublishedCheck uses does not match the date format Azure Artifacts returns. I now try parsing the date with multiple formats until the correct format is found.

I was unsure how to add integration tests for this feature, since it requires setting up a private package repository specifically for these tests. Tips on how to automatically test this feature are more than welcome.

Front-end changes are in DependencyTrack/frontend#164

This PR closes #881 and duplicates of this issue:
closes #1321 , closes #1618

Signed-off-by: AbdelH Abdel.Hajou@infosupport.com

@AbdelHajou
Add support for private package repositories
9dac458 
Signed-off-by: AbdelH <Abdel.Hajou@infosupport.com>
@AbdelHajou AbdelHajou mentioned this pull request Jun 5, 2022
Merged
@nscuro
Copy link
Member

nscuro commented Jun 6, 2022

Awesome PR, @AbdelHajou! 🚀

I was unsure how to add integration tests for this feature, since it requires setting up a private package repository specifically for these tests.

You can use MockServer instead, like it's done in https://github.com/DependencyTrack/dependency-track/blob/master/src/test/java/org/dependencytrack/integrations/fortifyssc/FortifySscClientTest.java. It should allow you to test that basic auth headers are sent, but also that NugetMetaAnalyzer behaves as expected when encountering the different timestamp formats.

@AbdelHajou
Add integration test for private NuGet repository
e7f0c42 
Signed-off-by: AbdelH <Abdel.Hajou@infosupport.com>
@AbdelHajou
Copy link
Contributor Author

@nscuro I added an integration test that tests the authentication, the timestamp parsing and the endpoint discovery

@nscuro nscuro merged commit 78887df into DependencyTrack:master Jun 7, 2022
@nscuro nscuro added this to the 4.6 milestone Jun 7, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 7, 2022
@nscuro nscuro removed this from the 4.6 milestone Jul 16, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nscuro nscuro nscuro approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@AbdelHajou @nscuro