Maven with Azure Artifacts - Host Rule Implementation

This article details the instructions to successfully configure our repo integrations with your Maven private registries that are hosted in Azure Artifacts. Maven private registries can be accessed by authentication via an Azure Personal Access Token (PAT). This will allow our repo integrations to scan your private Maven packages for vulnerabilities and compliance.

Generating a Personal Access Token (PAT) in Azure for your Artifacts feed

If you do not have a Personal Access Token (PAT) generated for your Artifacts feed, you can follow the instructions laid out in Azure’s documentation on Maven Artifacts.

Note: The PAT that is created must have Read & write permissions for the Packaging Scope.

You can also use the PAT in your settings.xml file that was used to install & deploy the Maven packages to the Artifacts feed (as this PAT should also have Read & write permissions for the Packaging Scope).

For example, the PAT value would be in the <password> block in the settings.xml below:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                              https://maven.apache.org/xsd/settings-1.0.0.xsd">
  <servers>
    <server>
      <id>[feedName}</id>
      <username>[AzureOrgName or AzureProjectName]</username>
      <password>[PERSONAL_ACCESS_TOKEN]</password>
    </server>
  </servers>
</settings>

Save this PAT for the next step, Encrypting your Azure PAT.

Encrypting your Azure PAT

For Mend-Hosted repo integrations (GitHub.com and Azure Repos)

1. Navigate to our Mend's Repository Integration Secrets Encryption page

2. Each secret you encrypt must be scoped to a GitHub org or Azure project and its use will be restricted to those within the app. There are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org or your Azure project to which secrets are to be scoped

   2. Repository - optional; your GitHub or Azure repository to which secrets are to be scoped

   3. Raw value - required; your Azure PAT that was created earlier

3. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

4. Copy this encrypted value

For Self-Hosted repo integrations (GitHub Enterprise, Bitbucket Server and Data Center, and GitLab)

Follow the steps outlined below to generate encryption for each of the Self-Hosted repo integrations:

• Mend for GitHub Enterprise | Handling Private Registries and Authenticated Repositories

• Mend for Bitbucket Server and Data Center | Handling Private Registries and Authenticated Repositories

• Installing Mend for GitLab | Handling Private Registries and Authenticated Repositories

1. When generating a secret, there are the following fields on the encryption page:

   1. Organization\Group - required; your GitHub org, GitLab group, or Bitbucket group to which secrets are to be scoped

   2. Repository - optional; your repository to which secrets are to be scoped

   3. Raw value - required; your Azure PAT that was created earlier

2. Click on Encrypt. This will create an encrypted value, which is the result of the encryption to be used in the integration

3. Copy this encrypted value and save it for the step, Applying the hostRules

Where can I find the matchHost URL for Maven?

The URL that is to be used for the matchHost setting in the hostRules can be found by following the steps below:

1. Navigate to your Azure Project where the Artifact feed is located and click on Artifacts in the left-hand tree

2. In this screen, click on Connect to Feed:

   

3. Find and click on Maven

4. Within the Project setup step, copy the value within the <url> block. This will be your matchHost setting used for your hostRules:

   

Note: If you have multiple feeds for your Maven packages, you will need to complete these steps and create a hostRule for each feed (<url>) that is being used.

Applying the hostRules

Within your repo-config.json (if you have a global setup) or, in your .whitesource file (if you are configuring at the repo level), include the following required hostRules settings:

• matchHost - The URL of the Azure Artifacts feed where your Maven packages are located. NOTE: You should have one hostRule for each Azure Artifacts feed where your Maven packages are located - meaning there can be multiple hostRules

  • If your feed is Org-scoped, the URL will look something like this:

    CODE

    https://pkgs.dev.azure.com/<AzureOrgName>/_packaging/<feedName>/maven/v1

  • If your feed is Project-scoped, the URL will look something like this:

    CODE

    https://pkgs.dev.azure.com/<AzureOrgName>/<AzureProjectName>/_packaging/<feedName>/maven/v1

• hostType - maven

• userName - Your Azure Organization name or your Azure Project name, depending on how your Artifacts feed was scoped when it was created. You can also check this value in your settings.xml’s <username> block.

• token - The encrypted value that was generated

hostRules Examples

Example with an Org-scoped Artifacts feed:

{
  "hostRules": [
    {
      "matchHost": "https://pkgs.dev.azure.com/<AzureOrgName>/_packaging/<feedName>/maven/v1",
      "hostType": "maven",
      "userName": "<Azure Organization name>",
      "encrypted": {
        "token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
      }
    }
  ]
}

Example with a Project-scoped Artifacts feed:

{
  "hostRules": [
    {
      "matchHost": "https://pkgs.dev.azure.com/<AzureOrgName>/<AzureProjectName>/_packaging/<feedName>/maven/v1",
      "hostType": "maven",
      "userName": "<Azure Project name>",
      "encrypted": {
        "token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
      }
    }
  ]
}