Service configuration
Main parameters
Configuration of OSA Proxy is done via the application.yml file:
Example configuration file
# CodeScoring parameters
codescoring:
host: CodeScoring server URL
token: authorization token ((with access level User or higher)
work-mode: operation mode (applies only to package scanning)
# warmup | Warm up scan cache without monitoring requests, no blocking
# spectator | Warm up scan cache with request monitoring, no blocking
# moderate | Policy-based blocking using cache results, unscanned components allowed
# strict | Policy-based blocking using cache results, unscanned components blocked
# strict_wait | Policy-based blocking, wait until the component is scanned
proxy-manager-host: proxy server host
enable-status-line: true/false (adds the block reason to the status line)
block-status-code: status code for blocking package downloads
block-on-codescoring-errors: block package download on 5xx status, scan_failed errors
override-block-url: true/false (replaces URL in block reason link with the one specified in codescoring.host)
remove-blocked-versions: true/false (default: true; when true — blocked versions are removed from the manifest; when false — they are marked as deprecated)
# PyPI settings
pypi:
enabled: true
repository:
- name: internet-pypi
scan-manifest: true
scan-package: true
registry: https://pypi.org
packages-registry: https://files.pythonhosted.org
- name: arti-pypi
scan-manifest: true
scan-package: true
registry: http://localhost:8081/artifactory/api/pypi/pypi-remote
packages-registry: http://localhost:8081/artifactory/api/pypi/pypi-remote/packages
- name: nexus-pypi
scan-manifest: true
scan-package: true
registry: https://localhost:8081/repository/pypi-proxy
packages-registry: https://localhost:8081/repository/pypi-proxy/packages
# Maven settings
maven:
enabled: true
repository:
- name: internet-mvn
scan-manifest: true
scan-package: true
registry: https://repo1.maven.org/maven2
- name: arti-mvn
scan-manifest: false
scan-package: true
registry: http://localhost:8081/artifactory/maven-remote
- name: nexus-mvn
scan-manifest: false
scan-package: true
registry: http://localhost:8081/repository/maven-proxy
# NPM settings
npm:
enabled: true
repository:
- name: internet-npm
scan-package: true
scan-manifest: true
registry: https://registry.npmjs.org
- name: arti-npm
scan-package: true
scan-manifest: true
registry: http://localhost:8081/artifactory/api/npm/npm-remote
- name: nexus-npm
scan-package: true
scan-manifest: true
registry: http://localhost:8081/repository/npm-proxy
# NuGet settings
nuget:
enabled: true
repository:
- name: codescoring-nuget
scan-package: true
registry: https://api.nuget.org
- name: arti-nuget
scan-package: true
registry: http://localhost:8081/artifactory/api/nuget/v3/nuget-remote
- name: nexus-nuget
scan-package: true
scan-manifest: true
registry: http://localhost:8081/repository/nuget-v3-proxy
# GO settings
go:
enabled: true
repository:
- name: codescoring-go
scan-manifest: true
scan-package: true
url-encoded-config: true
registry: https://proxy.golang.org/
sumdb-registry: https://sum.golang.org
- name: arti-go
scan-package: true
scan-manifest: true
url-encoded-config: true
registry: http://localhost:8081/artifactory/api/go/go-virt
- name: nexus-go
scan-package: true
scan-manifest: true
url-encoded-config: true
registry: http://localhost:8081/repository/go-proxy/
# Debian settings
debian:
enabled: true
repository:
- name: codescoring-debian
scan-package: true
url-encoded-config: true
registry: https://ports.ubuntu.com/ubuntu-ports/
distro: plucky
- name: arti-debian
scan-package: true
url-encoded-config: true
registry: http://localhost:8081/artifactory/debian-remote
distro: plucky
- name: nexus-debian
scan-package: true
url-encoded-config: true
registry: http://localhost:8081/repository/debian11
distro: bullseye
# Alpine (APK) settings
alpine:
enabled: true
repository:
- name: codescoring-alpine
scan-package: true
registry: https://dl-cdn.alpinelinux.org/alpine
- name: arti-alpine
scan-package: true
registry: http://localhost:8081/artifactory/alpine-remote
# RPM settings
rpm:
enabled: true
repository:
- name: codescoring-rpm
scan-package: true
registry: https://repo.almalinux.org/almalinux
- name: arti-rpm
scan-package: true
registry: http://localhost:8081/artifactory/rpm-remote
# Docker Registry settings
docker:
enabled: true
repository:
- name: codescoring-docker
registry: https://registry-1.docker.io
auth-token-url: https://auth.docker.io
- name: arti-docker
registry: http://localhost:8081/artifactory/docker-remote
auth-token-url: http://localhost:8081
Specifics of working in Nexus Repository and JFrog Artifactory
- For JFrog Artifactory, it is recommended to set a
Custom Base URL and use it in the registry field to correctly replace package references within manifests.
- In the configuration
package manager -> jfrog -> OSA proxy -> internet, in the additional JFrog repository settings, it is necessary to set the Bypass HEAD requests flag.
- There is no identical functionality for Nexus Repository; the host and port (if specified) from the request will be used in manifests. If a
reverse proxy is available, it is recommended to use its link. For example: registry: https://nexushost.ru/repository/pypi-proxy.
Additional settings
Logging level settings
Example logging configuration
logging:
level:
ru:
codescoring: info
Viewing blocked packages in logs
To find blocked packages in the application logs, ensure the logging level for ru.codescoring is set to info or lower. The PolicyLogger component will output information about blocked packages in the following formats:
- For packages blocked by policies:
Policy '<policy_name>' blocked package '<package_name>' versions: [<versions>]
- For OSA packages blocked by the platform:
Policy blocked package '<purl>' for endpoint '<endpoint>': <reason>
Logging external requests
External requests to third-party registries can be logged using the ru.codescoring.proxy.logging.RegistryRequestResponseLogger component. To do this, set its logging level to trace.
Example configuration for logging external requests
logging:
level:
ru.codescoring.proxy.logging.RegistryRequestResponseLogger: trace
Blocked version handling mode in manifests
The codescoring.remove-blocked-versions parameter controls how blocked package versions are displayed in npm, PyPI, and NuGet manifests:
true (default) — blocked versions are fully removed from the manifest. The package manager does not see them and will not offer them to the user.false — blocked versions remain in the manifest but are marked as deprecated, with the name of the triggered policy included in the relevant field:
- npm — the
deprecated field of the version entry contains the policy name;
- PyPI — the
data-yanked attribute of the package link contains the policy name;
- NuGet — the
deprecation.message field of the entry contains the policy name, and listed is set to false.
Example configuration
codescoring:
remove-blocked-versions: false
Buffer size for large manifests
Example buffer size configuration
spring:
http:
codecs:
max-in-memory-size: 150MB (this is the default setting, already included in the application; increase it if you encounter very large manifests)
Retry configuration
This configuration defines the retry policy for the codeScoringApi service. It is designed to handle temporary failures by retrying up to 3 times.
Retries use an exponential backoff strategy, starting with a 1-second delay and doubling it with each attempt. This policy applies only to certain exceptions, such as WebClientRequestException.
Circuit breaker configuration
The circuit breaker for codeScoringApi acts as a fail-fast mechanism. It tracks failure rates, and if they reach 50% (calculated over the last 20 calls), it “opens” and prevents further requests for 30 seconds. This gives the downstream service time to recover. After the wait period, it switches to “half-open” state, allowing 5 trial calls to check if the service has recovered.
Retry and circuit breaker configuration can be overridden by setting the following properties, for example, for codeScoringApi.
Adding truststore certificates
Example of adding truststore certificates in application.yml
spring:
cloud:
gateway:
server:
webflux:
httpclient:
ssl:
trustedX509Certificates:
- /usr/local/share/ca-certificates/codescoring.crt
- /etc/ssl/certs/ca-certificates.crt
Adding http proxy
Example of http proxy configuration
spring:
cloud:
gateway:
httpclient:
proxy:
host: proxy.host.ru
username: 'username'
port: 9091
password: 'password'
non-proxy-hosts-pattern: '(localhost|127.0.0.1|.*\.internal\.com)'
