OSS Index Analyzer
Uses the Sonatype Guide OSS Index APIs to report on vulnerabilities not found in the NVD. The collection of identified PURL/Package URL identifiers are submitted to the OSS Index for analysis and the resulting identified vulnerabilities are included in the report. In addition, vulnerabilities found in both the NVD and OSS Index may have additional references added.
This analyzer requires an internet connection, and authentication is mandatory. If no credentials are provided, this analyzer will be disabled. Review the configuration for the specific dependency-check integration used for more information on how to configure the URL and credentials for this analyzer.
Sonatype Guide Migration
During 2026, the Sonatype OSS Index API is being migrated to become part of the Sonatype Guide platform.
During this migration users will need to make some minor changes.
- For existing users (have an existing legacy OSS Index account and API token)
- After April 1, 2026
- login with OSS Index account credentials to the Sonatype Guide platform to validate your account has been migrated
- migrate OSS Index analyzer base URL to Sonatype Guide platform
- override Dependency-Check configuration OR
- upgrade to Dependency-Check
12.2.1+ (if using defaults)
- review API usage within Sonatype Guide to determine whether continued free usage is possible (new API limits apply from April 28 2026 onwards)
- consider cache/restore of Dependency-Check's data directory between runs to retain the OSS Index cache, and reduce API load
- Before December 31, 2026
- migrate to using a Sonatype Guide API token for authentication rather than the legacy OSS Index API token
- After April 1, 2026
- For new users
- sign up for Sonatype Guide directly
- use a Sonatype Guide API token as the OSS Index
passwordfor authentication (usernameis optional)
For more details on this migration see: