Authenticate with Google cloud storage bucket

[ankurga]

Hello,

I have downloaded the NVD data using vulnz and put it on a google cloud storage bucket at this location:

https://storage.googleapis.com/mydummybucket/nvd-cache

Then am trying to use this bucket url for maven command like this:

mvn org.owasp:dependency-check-maven:check -DnvdDatafeedUrl=https://storage.googleapis.com/mydummybucket/nvd-cache

Now if I keep the bucket open for public access, it's fine and maven is able to download the data from the bucket but if I make the bucket private and try to use it via a service account key, I don't know how to do it.

I am able to download the data using gcloud commands after making the bucket private and using the service account key but ofcourse mvn is not able to use the same mechanism as gcloud for authentication.

I tried to find some option here but couldn't find any.

Can someone please help me what would be the best way to achieve this?

[lbillinghamwrk]

AIUI GCloud buckets are accessible with Bearer tokens (GCP docs).

e.g. curl -H "Authorization: Bearer ${GCLOUD_TOKEN}" https://storage.googleapis.com/some/storage/path works.

However, the NVD auth available in DependencyCheck is Basic auth akin to curl -H "Authorization: Basic ${GCLOUD_TOKEN}" https://storage.googleapis.com/some/storage/path. This doesn't work with a GCP bucket.

[edit] If I'm thinking along the right lines, this relates to #5783 [edit] (I'm not sure that I have enough Java knowledge to spin up a PR)

So maybe it is possible to add a public void addTokenAuthentication(...) in URLConnectionFactory.java
and consume that method in HttpResourceConnection::obtainConnection in HttpResourceConnection.java

I've no idea what modifications to

            if (userKey != null && passwordKey != null) {
                connFactory.addBasicAuthentication(conn, userKey, passwordKey);
            }

we might need.

Adding tokenKey and doing all the bookkeeping checks between tokenKey, userKey, passwordKey sounds fiddly