This page explains how you can set up a remote repository to access and download Assured OSS packages.
Before you begin
- Submit the customer enablement form to enable access to Assured OSS.
- Validate connectivity to Assured OSS for the requested service accounts.
Overview
Assured OSS packages are stored on a Google-managed Artifact Registry repository. You can access and download the OSS packages offered by Assured OSS using one of the following methods:
Set up a virtual repository (preview feature) that acts as a single access point to download, install, or deploy packages in the same format from one or more upstream repositories. An upstream repository can be an Artifact Registry standard or remote repository.
Set up a remote (also called mirror or proxy) repository to act as a proxy for the Assured OSS Artifact Registry repository. You will connect to the remote repository to download the packages. This method is commonly used in organizations that access open source software using a repository manager like Jfrog Artifactory or Sonatype Nexus.
Connect to the Assured OSS Artifact Registry repository directly using a service account from build tools like Maven, Gradle, or pip.
Set up a remote repository using JFrog Artifactory
- Sign in to the JFrog Artifactory repository manager. Make sure that you have the required privileges to create a new remote repository.
- Select the option to create a new remote repository in your repository manager.
- Select the appropriate repository type, for example
Maven
for Java andPyPi
for Python. Test the connection to the Java or Python repository using the following steps:
- In the Repository Key field, enter a unique name or identifier for the remote repository.
- In the URL field, enter
https://us-maven.pkg.dev
for Java orhttps://us-python.pkg.dev
for Python. Don't enter the complete domain name as this may return an HTTP404
or405
status code. - Leave the rest of the fields blank.
Click Test. The connection is successful when you see the following output:
Successfully connected to server
To create a new remote repository, enter the following information:
- In the Repository Key field, enter a unique name or identifier for
the remote repository. For example,
assured-oss-java-repo
. - In the URL field, choose from the following:
- For Java, enter
https://us-maven.pkg.dev/cloud-aoss/JAVA_REPO_NAME
. - For Python, enter
https://us-python.pkg.dev/cloud-aoss/PYTHON_REPO_NAME
.
- For Java, enter
- In the User Name field, enter
_json_key_base64
. - In the Password field, provide the base64 encoded string of the entire
service account json key file. On Linux, run the command
base64 <key-filename.json>
to get the base64 encoded string. Use the entire base64 encoded string in a single line as password. - In the Registry URL field, enter
https://us-python.pkg.dev/cloud-aoss/cloud-aoss-python
. This step is only required for Python.
- In the Repository Key field, enter a unique name or identifier for
the remote repository. For example,
Click Create Remote Repository.
For Python packages, append the obtained URL with
/simple
. Use the URL as theindex-url
in thepip install
command to download the required Python packages. For example, if the obtained URL of the repository ishttps://a0a87smb7hcda.jfrog.io/artifactory/api/pypi/PYTHON_REPO_NAME
, then the correspondingindex-url
ishttps://a0a87smb7hcda.jfrog.io/artifactory/api/pypi/PYTHON_REPO_NAME/simple
.After the new remote repository is set up, point your build tools like Maven, Gradle, or pip to use this new remote repository.
Known issues
Testing the connection using the Test button can return an error even if the connection is configured correctly. We recommend that you create the remote repository irrespective of the test button behavior. For another way of confirming a connection, see Validate your connection.
Set up a remote repository using Sonatype Nexus
- Login to your Sonatype Nexus repository manager. Make sure that you have the required privileges to create a new remote repository.
- Select the option to create a new repository.
- Select the appropriate repository type, for example
Maven
for Java andPyPi
for Python. Enter the following details for the new repository:
- In the Name field, enter a unique name or identifier for the remote repository
- In the Remote Storage field, choose from the following:
- For Java, enter
https://us-maven.pkg.dev/cloud-aoss/cloud-aoss-java
. - For Python, enter
https://us-python.pkg.dev/cloud-aoss/cloud-aoss-python
.
- For Java, enter
Select the HTTP Authentication checkbox, and then specify the following:
- In the Authentication type field, enter
Username
. - In the Username field, enter
_json_key_base64
. - In the Password field, provide the base64 encoded string of the entire
service account JSON key file. To get the base64 encoded string, run the
command
base64 <key-filename.json>
. Use the entire base64 encoded string in a single line as password.
- In the Authentication type field, enter
Click Create Repository.
After the new remote repository is set up, point your build tools like Maven, Gradle, or pip to use this new remote repository.
Access packages not available in Assured OSS
If you want access to packages that aren't available in the Assured OSS repository, you can do the following:
Assured OSS is also pre-configured with Assured OSS as the preferred repository and canonical public repositories, such as Maven Central or PyPI, as secondary repositories. To use this feature (preview), you can point to a single URL:
- For Java, use URL
https://us-maven.pkg.dev/cloud-aoss/java
- For Python, use URL
https://us-python.pkg.dev/cloud-aoss/python
- For Java, use URL
Software Delivery Shield
Assured Open Source Software is part of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run. To learn how you can use Assured Open Source Software with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.
What's next
- Download Java packages using direct repository access
- Download Python packages using direct repository access
- Set up virtual repository access
- Supported Java and Python packages
- Access security metadata using Cloud Storage