Assured Open Source Software packages are hosted on a Google-managed Artifact Registry repository.
This page explains how you can connect to the Artifact Registry repository for Assured OSS to directly access and download the Java packages.
Before you begin
Install the latest version of the Google Cloud CLI.
If you have installed the Google Cloud CLI previously, make sure you have the latest version by running the command:
gcloud components updateTo enable access to Assured OSS, submit the customer enablement form.
Validate connectivity to Assured OSS for the requested service accounts.
Enable the Artifact Registry API for the parent Google Cloud project of the service accounts used to access Assured OSS.
Set up authentication
Artifact Registry supports the following authentication methods:
Authenticate with a credential helper
Artifact Registry provides a Maven wagon and a Gradle plugin to use as credential helpers. This option provides the most flexibility.
For setting up Application Default Credentials, see Set up authentication.
Set up your credential helpers
If you're using a credential helper to set up authentication, make the following changes based on the build tool.
Maven
<project>
<build>
<extensions>
<extension>
<groupId>com.google.cloud.artifactregistry</groupId>
<artifactId>artifactregistry-maven-wagon</artifactId>
<version>2.2.0</version>
</extension>
</extensions>
</build>
</project>
Gradle
plugins {
id "com.google.cloud.artifactregistry.gradle-plugin" version "2.2.0"
}
Authenticate using password
Authenticate using password when your Java application requires authentication with a specified username and password. Depending on your build tool, change settings as per the following instructions:
Maven
Add the following authentication settings in the settings section of the
~/.m2/settings.xml file. See the Maven Settings reference for more
information. If the ~/.m2/settings.xml file doesn't exist, then create a new
file.
<settings>
<servers>
<server>
<id>artifact-registry</id>
<configuration>
<httpConfiguration>
<get>
<usePreemptive>true</usePreemptive>
</get>
<head>
<usePreemptive>true</usePreemptive>
</head>
<put>
<params>
<property>
<name>http.protocol.expect-continue</name>
<value>false</value>
</property>
</params>
</put>
</httpConfiguration>
</configuration>
<username>_json_key_base64</username>
<password>KEY</password>
</server>
</servers>
</settings>
Replace KEY with the base64-encoding of entire service
account JSON key file. To do this, run the following command:
cat KEY_FILE_LOCATION | base64
Where KEY_FILE_LOCATION is location of service account JSON key file.
Gradle
Add the following line to your ~/.gradle/gradle.properties file so that
the key is not visible in your builds or your source control repository.
artifactRegistryMavenSecret = KEY
Replace KEY with the private key from your service account JSON
key file. For json_key_base64, the artifactRegistryMavenSecret contains the
base64 encrypted password. For example, base64 -w 0 KEY.
In the build.gradle file, specify the repository settings using the following example:
repositories {
maven {
url "artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java"
credentials {
username = "_json_key_base64"
password = "$artifactRegistryMavenSecret"
}
authentication {
basic(BasicAuthentication)
}
}
}
Update the project configuration file to point to the repository
Maven
Add the following settings to the appropriate section in the pom.xml file for
your Maven project. Don't replace the authentication settings.
<project>
<repositories>
<repository>
<id>artifact-registry</id>
<url>artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</project>
See the Maven POM reference for details about the structure of the file.
Gradle
Specify the following repository settings in your build.gradle file. Do not
replace the authentication settings.
repositories {
maven {
url "artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java"
}
}
Update the project configuration file to add dependencies
To download an artifact as a part of your build, the artifact must be declared as a dependency as shown in the following examples.
Maven
Declare the packages that you want to download in the pom.xml file for your Maven project.
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.1</version>
</dependency>
Gradle
Declare the packages that you want to download in your build.gradle file.
dependencies {
compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.1'
}
Access packages not available in Assured OSS
If you want access to packages that aren't available in the Artifact Registry repository for Assured OSS, you can do the following:
Assured OSS is also pre-configured with Assured OSS as the preferred repository and canonical public repositories, such as Maven Central or PyPI, as secondary repositories. To use this feature (preview), you can point to a single URL:
- For Java, use URL
https://us-maven.pkg.dev/cloud-aoss/java
- For Java, use URL
List all Java packages available in Assured OSS
To use an API to get a list of all the Java packages available in the Artifact Registry repository, see List all Java packages available in Assured OSS.
Software Delivery Shield
Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.
What's next
- Download Python packages using direct repository access
- Set up virtual repository access
- Supported Java and Python packages
- Access security metadata using Cloud Storage
- Access security metadata using Artifact Analysis API