Download Java packages using direct repository access

Stay organized with collections Save and categorize content based on your preferences.

This page explains how you can connect to the Assured OSS repository directly to access and download the Java packages.

Before you begin

  1. Install the latest version of the Google Cloud CLI.

  2. If you have installed Google Cloud CLI previously, make sure you have the latest version by running the gcloud components update command.

Set up authentication

You can authenticate to the Artifact Registry Java package repository using one of the following options:

Authenticating with a credential helper

Use credential helpers such as Maven wagon and Gradle plugin to authenticate to the Artifact Registry. Artifact Registry validates credentials in the following order:

  1. Checks Application Default Credentials (ADC):

    • Check credentials defined in the GOOGLE_APPLICATION_CREDENTIALS environment variable.
    • Else, check the credentials that the default service account for Compute Engine, Google Kubernetes Engine, Cloud Run, App Engine, or Cloud Functions provide.

    If you're using Application Default Credentials, assign the service account key file location to the variable GOOGLE_APPLICATION_CREDENTIALS so that the Assured OSS credential helper can obtain your key when connecting with repositories. Use the following command:

    export GOOGLE_APPLICATION_CREDENTIALS=`KEY_FILE_LOCATION`
    

Where KEY_FILE_LOCATION is the path to the service account json key file.

  1. If Application Default Credentials are not found, Artifact Registry checks for credentials provided by the Google Cloud CLI including user credentials obtained from the command gcloud auth application-default login.

Authenticating using password

Authenticate using password when your Java application requires authentication with a specified username and password. Depending on your build tool, change settings as per the following instructions:

Maven

Add the following authentication settings in the settings section of the ~/.m2/settings.xml file. See the Maven Settings reference for more information.

<settings>
  <servers>
    <server>
      <id>artifact-registry</id>
      <configuration>
        <httpConfiguration>
          <get>
            <usePreemptive>true</usePreemptive>
          </get>
          <head>
            <usePreemptive>true</usePreemptive>
          </head>
          <put>
            <params>
              <property>
                <name>http.protocol.expect-continue</name>
                <value>false</value>
              </property>
            </params>
          </put>
        </httpConfiguration>
      </configuration>
      <username>_json_key_base64</username>
      <password>`KEY`</password>
    </server>
  </servers>
</settings>

Where KEY is the private key in your service account json key file.

Gradle

Add the following line to your ~/.gradle/gradle.properties file so that the key is not visible in your builds or your source control repository.

  artifactRegistryMavenSecret = KEY`

Where KEY is the private key in your service account json key file. For json_key_base64, the artifactRegistryMavenSecret contains the base64 encrypted password. For example, base64 -w 0 KEY.

In your build.gradle, specify the repository settings using the following example:

repositories {
  maven {
    url "artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java"
    credentials {
      username = "_json_key_base64"
      password = "$artifactRegistryMavenSecret"
    }
    authentication {
      basic(BasicAuthentication)
    }
  }
}

Update the project configuration file to point to the repository

Maven

If you're using a credential helper to set up authentication, add the following settings to the appropriate section in the pom.xml file for your Maven project:

<project>
  <repositories>
    <repository>
      <id>artifact-registry</id>
      <url>artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java</url>
      <releases>
        <enabled>true</enabled>
      </releases>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
    </repository>
  </repositories>

  <build>
    <extensions>
      <extension>
        <groupId>com.google.cloud.artifactregistry</groupId>
        <artifactId>artifactregistry-maven-wagon</artifactId>
        <version>2.1.5</version>
      </extension>
    </extensions>
  </build>
</project>

See the Maven POM reference for details about the structure of the file.

If you're using password authentication, add the following settings to the appropriate section in the pom.xml file for your Maven project:

<project>
  <repositories>
    <repository>
      <id>artifact-registry</id>
      <url>artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java</url>
      <releases>
        <enabled>true</enabled>
      </releases>
      <snapshots>
        <enabled>false</enabled>
      </snapshots>
    </repository>
  </repositories>
</project>

Gradle

Specify the following repository settings in your build.gradle only if you're using an authentication helper to set up authentication:

plugins {
  id "com.google.cloud.artifactregistry.gradle-plugin" version "2.1.5"
}

repositories {
  maven {
   url "artifactregistry://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java"
  }
}

Update the project configuration file to add dependencies

To download an artifact as a part of your build, the artifact must be declared as a dependency as shown in the following examples.

Maven

Declare the packages that you want to download in the pom.xml file for your Maven project.

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.17.1</version>
</dependency>

Gradle

Declare the packages that you want to download in your build.gradle.

dependencies {
    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.17.1'
}

List all Java packages available in Assured OSS

Use the following API to list all the Java packages and their versions.

GET https://artifactregistry.googleapis.com/v1/{parent=projects/*/locations/*/repositories/*}/mavenArtifacts

Authentication to the API is set up using the same service account that is used to access Assured OSS. For information, see Authentication at Google. You can also provide authentication credentials to the application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS using the following command:

export GOOGLE_APPLICATION_CREDENTIALS=`KEY_FILE_LOCATION`

Where KEY_FILE_LOCATION is the path to the service account json key file.

HTTP request

GET https://artifactregistry.googleapis.com/v1/{parent=projects/*/locations/*/repositories/*}/mavenArtifacts

You can also call this API using curl command. The following is a sample curl command to connect to the Assured OSS Java repository:

curl -X GET -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) https://artifactregistry.googleapis.com/v1/projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts

Sample response:

{
  "mavenArtifacts": [
    {
      "name": "projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/com.alibaba:fastjson:1.2.83",
      "pomUri": "us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/com/alibaba/fastjson/1.2.83/fastjson-1.2.83.pom",
      "groupId": "com.alibaba",
      "artifactId": "fastjson",
      "version": "1.2.83",
      "createTime": "2022-06-24T09:10:05.166879Z",
      "updateTime": "2022-06-24T09:10:05.166879Z"
    },
    {
      "name": "projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/org.apache.logging.log4j:log4j-api:2.17.1",
      "pomUri": "us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.pom",
      "groupId": "org.apache.logging.log4j",
      "artifactId": "log4j-api",
      "version": "2.17.1",
      "createTime": "2022-03-16T12:22:50.113695Z",
      "updateTime": "2022-03-16T12:22:50.113695Z"
    },
    {
      "name": "projects/cloud-aoss/locations/us/repositories/cloud-aoss-java/mavenArtifacts/org.apache.logging.log4j:log4j-core:2.17.1",
      "pomUri": "us-maven.pkg.dev/cloud-aoss/cloud-aoss-java/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.pom",
      "groupId": "org.apache.logging.log4j",
      "artifactId": "log4j-core",
      "version": "2.17.1",
      "createTime": "2022-03-16T12:26:40.317215Z",
      "updateTime": "2022-03-16T12:26:40.317215Z"
    }
  ]
}

Learn more

Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next?