Deploy on public server

[pombredanne]

• Decide on a DNS domain name and acquire name
• Provision server (Philippe), possibly with GCP credits at least for the initial DB creation
• create deploy and backup scripts
• deploy proper

[pombredanne]

@edoardolanzini ping, FYI

[sbs2001]

The temp domain for now would be https://vulnerablecode.aboutcode.org

[pombredanne]

@sbs2001 I registered for now vulnerabilitydb.org which is simple and generic

[pombredanne]

and I provisioned a dedicated server

[pombredanne]

This has been deployed (with a simple PW until final release 30.0.0 is tagged) at https://public.vulnerablecode.io/ 🎉

[sschuberth]

This has been deployed (with a simple PW until final release 30.0.0 is tagged) at https://public.vulnerablecode.io/ 🎉

Meanwhile release 30.2.0 is tagged. Is there a way we could use the public instance in an ORT example pipeline without a password now, @pombredanne?

[pombredanne]

@sschuberth there is a new release coming up and we added API doc and self registration for an API key
This is may be released this week.

[sschuberth]

self registration for an API key

Would you be OK with exposing an API key for ORT in a public example ORT pipeline that leverages VulnerableCode, @pombredanne?

[pombredanne]

And this is now live at https://public.vulnerablecode.io/

[pombredanne]

Would you be OK with exposing an API key for ORT in a public example ORT pipeline that leverages VulnerableCode,

Your call. An API key is like a password... and API calls should be throttled. Getting an API key should be easy enough

[sschuberth]

And this is now live at https://public.vulnerablecode.io/

This is what I get when requesting an API key:

[pombredanne]

@sschuberth This is now fixed! Sorry for the noise!

[sschuberth]

I've got my API key now, but unfortunately I'm getting "Authentication credentials were not provided." for any API call that I tried so far despite an "Authorization" header with my token being present.

[sschuberth]

despite an "Authorization" header with my token being present.

Ah, the value of that header field needs to start with the literal word "Token" before the token's value!

Could you fix the cURL code generated at https://public.vulnerablecode.io/api/docs/ to include that?

[pombredanne]

Let me reopen this issue
In the OpenAPI at https://public.vulnerablecode.io/api/docs/ if I click on Authorize, the popup states:

Available authorizations

tokenAuth (apiKey)

Token-based authentication with required prefix "Token"

Name: Authorization

In: header
Value:

Where do you think we could make this more obvious?

[sschuberth]

Where do you think we could make this more obvious?

Ah, my fault. In this dialog

I was overlooking the with required prefix "Token" part and just pasted the hex value. If the "Token " prefix is included here, it also shows up in the cURL command line snippets. All a bit error-prone because unusual IMO, but actually correctly documented.

So, thanks, I think we can close this again!

[TG1999]

Thanks @sschuberth , closing this!