Download Assured OSS packages using a remote repository

This page explains how you can set up a remote repository to access and download Assured OSS packages.

Before you begin

  1. Submit the customer enablement form to enable access to Assured OSS.
  2. Validate connectivity to Assured OSS for the requested service accounts.

Overview

Assured OSS packages are stored on a Google-managed Artifact Registry repository. You can access and download the OSS packages offered by Assured OSS using one of the following methods:

  • Set up a virtual repository (preview feature) that acts as a single access point to download, install, or deploy packages in the same format from one or more upstream repositories. An upstream repository can be an Artifact Registry standard or remote repository.

  • Set up a remote (also called mirror or proxy) repository to act as a proxy for the Assured OSS Artifact Registry repository. You will connect to the remote repository to download the packages. This method is commonly used in organizations that access open source software using a repository manager like Jfrog Artifactory or Sonatype Nexus.

  • Connect to the Assured OSS Artifact Registry repository directly using a service account from build tools like Maven, Gradle, or pip.

workflow of a remote repository

Set up a remote repository using JFrog Artifactory

  1. Sign in to the JFrog Artifactory repository manager. Make sure that you have the required privileges to create a new remote repository.
  2. Select the option to create a new remote repository in your repository manager.
  3. Select the appropriate repository type, for example Maven for Java and PyPi for Python.

  4. Test the connection to the Java or Python repository using the following steps:

    1. In the Repository Key field, enter a unique name or identifier for the remote repository.
    2. In the URL field, enter https://us-maven.pkg.dev for Java or https://us-python.pkg.dev for Python. Don't enter the complete domain name as this may return an HTTP 404 or 405 status code.
    3. Leave the rest of the fields blank. Test the Java repository connection

    4. Click Test. The connection is successful when you see the following output:

      Successfully connected to server

  5. To create a new remote repository, enter the following information:

    1. In the Repository Key field, enter a unique name or identifier for the remote repository. For example, assured-oss-java-repo.
    2. In the URL field, choose from the following:
      • For Java, enter https://us-maven.pkg.dev/cloud-aoss/JAVA_REPO_NAME.
      • For Python, enter https://us-python.pkg.dev/cloud-aoss/PYTHON_REPO_NAME.
    3. In the User Name field, enter _json_key_base64.
    4. In the Password field, provide the base64 encoded string of the entire service account json key file. On Linux, run the command base64 <key-filename.json> to get the base64 encoded string. Use the entire base64 encoded string in a single line as password.
    5. In the Registry URL field, enter https://us-python.pkg.dev/cloud-aoss/cloud-aoss-python. This step is only required for Python.

    Add details about Java repository

  6. Click Create Remote Repository.

  7. For Python packages, append the obtained URL with /simple. Use the URL as the index-url in the pip install command to download the required Python packages. For example, if the obtained URL of the repository is https://a0a87smb7hcda.jfrog.io/artifactory/api/pypi/PYTHON_REPO_NAME, then the corresponding index-url is https://a0a87smb7hcda.jfrog.io/artifactory/api/pypi/PYTHON_REPO_NAME/simple.

  8. After the new remote repository is set up, point your build tools like Maven, Gradle, or pip to use this new remote repository.

Known issues

Testing the connection using the Test button can return an error even if the connection is configured correctly. We recommend that you create the remote repository irrespective of the test button behavior. For another way of confirming a connection, see Validate your connection.

Set up a remote repository using Sonatype Nexus

  1. Login to your Sonatype Nexus repository manager. Make sure that you have the required privileges to create a new remote repository.
  2. Select the option to create a new repository.
  3. Select the appropriate repository type, for example Maven for Java and PyPi for Python.

  4. Enter the following details for the new repository:

    1. In the Name field, enter a unique name or identifier for the remote repository
    2. In the Remote Storage field, choose from the following:
      • For Java, enter https://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java.
      • For Python, enter https://us-python.pkg.dev/cloud-aoss/cloud-aoss-python.

    Add details about Python repository

  5. Select the HTTP Authentication checkbox, and then specify the following:

    1. In the Authentication type field, enter Username.
    2. In the Username field, enter _json_key_base64.
    3. In the Password field, provide the base64 encoded string of the entire service account JSON key file. To get the base64 encoded string, run the command base64 <key-filename.json> . Use the entire base64 encoded string in a single line as password.

    Add details about Python authentication

  6. Click Create Repository.

  7. After the new remote repository is set up, point your build tools like Maven, Gradle, or pip to use this new remote repository.

Access packages not available in Assured OSS

If you want access to packages that aren't available in the Assured OSS repository, you can do the following:

  • Assured OSS is also pre-configured with Assured OSS as the preferred repository and canonical public repositories, such as Maven Central or PyPI, as secondary repositories. To use this feature (preview), you can point to a single URL:

    • For Java, use URL https://us-maven.pkg.dev/cloud-aoss/java
    • For Python, use URL https://us-python.pkg.dev/cloud-aoss/python

Software Delivery Shield

Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next