• English

    • Supported Protocols

    OSA Proxy implementation

    This page describes the current OSA Proxy implementation. The archived Java/Spring implementation is available in Archived Java/Spring implementation.

    This section describes which resources OSA Proxy checks and which responses it can modify for each ecosystem.

    Summary

    EcosystemManifest scanningPackage scanningResponse modification
    MavenYesYesRemoves blocked versions from maven-metadata.xml, updates latest and release.
    npmYesYesRemoves blocked versions from metadata, updates dist-tags and tarball links.
    PyPIYesYesRemoves blocked links from Simple API pages, rewrites download URLs through the proxy.
    NuGetYesYesModifies service index and registration metadata, removes blocked versions.
    Go modulesYesYesRemoves blocked versions from @v/list, proxies module zip and SumDB.
    ComposerYesYesModifies Packagist/Composer metadata and rewrites dist URLs through the proxy.
    RubyGemsYesYesChecks RubyGems metadata and downloaded .gem packages.
    DebianNoYesPackages indexes are not modified.
    Alpine (APK)NoYesAPKINDEX indexes are not modified.
    RPMNoYesrepodata metadata is not modified.
    DockerYesNoChecks image manifests; manifest lists are used to resolve image manifests and are not sent for checking as separate components. Blob/layer requests are proxied without separate layer checks. Several Docker repositories use subdomains.

    scan-manifest and scan-package

    scan-manifest enables checking and modification of metadata from which the package manager selects available versions. When a blocking policy is triggered, unsafe versions are removed from the response or marked as blocked when the format supports it.

    scan-package enables checking of downloaded artifacts: archives, binary packages, module zip files, .gem, .deb, .apk, or .rpm. If a policy blocks the component, the download is interrupted with the HTTP code from codescoring.block-status-code.

    For Debian, Alpine, and RPM, only scan-package is used: system indexes are not modified, so the package manager can still see the version in the index, but downloading the specific package is blocked when it violates a policy.

    For Docker, repository configuration does not use scan-manifest or scan-package. OSA Proxy checks Docker image manifests. Manifest lists are used to resolve image manifests and are not sent for checking as separate components; blob/layer requests are proxied to the registry.

    Maven

    • Metadata: maven-metadata.xml.
    • Packages: .jar, .war, .ear, and other Maven artifacts.
    • When metadata is modified, blocked versions are removed and latest/release are updated to the latest allowed version.

    npm

    • Metadata: package JSON metadata.
    • Packages: .tgz.
    • Blocked versions and related time entries are removed from metadata, and dist-tags are recalculated to allowed versions.

    PyPI

    • Metadata: Simple API pages.
    • Packages: .whl, .tar.gz, .zip, and other Python package archives.
    • Links to blocked versions are removed, and download URLs are rewritten so downloads go through OSA Proxy.

    NuGet

    • Metadata: service index and registration index.
    • Packages: .nupkg.
    • The client uses the /nuget-api/v3/index.json route; metadata is rewritten to OSA Proxy URLs.

    Go modules

    • Metadata: version list @v/list.
    • Packages: module .zip.
    • Blocked versions are removed from the version list. SumDB uses sumdb-registry and the GOSUMDB client setting.

    Composer

    • Metadata: Composer/Packagist metadata.
    • Packages: dist archives .zip, .tar, .tgz, .tar.gz, .tar.bz2, .tar.xz.
    • Dist URLs are rewritten to OSA Proxy routes. For external dist hosts, use packages-registry and additional-packages-registries.

    RubyGems

    • Metadata: RubyGems indexes.
    • Packages: .gem.
    • Metadata and downloaded gem packages are checked.

    Docker

    • Metadata: Docker image manifest. Manifest lists are used to resolve image manifests.
    • Packages: there is no separate scan-package; blob/layer requests are proxied to the registry.
    • Docker uses standard /v2/... and /token endpoints, so several Docker repositories are separated by subdomains, not by the first path segment.

    Blocking Diagnostics

    If a package manager does not display the blocking reason, check the corresponding metadata endpoint directly:

    curl https://osa-proxy.example.com/npm/lodash
curl https://osa-proxy.example.com/pypi/simple/requests/
curl https://osa-proxy.example.com/maven/org/apache/commons/commons-lang3/maven-metadata.xml
curl https://osa-proxy.example.com/nuget/nuget-api/v3/registration5-gz-semver2/newtonsoft.json/index.json
curl https://osa-proxy.example.com/go/github.com/gin-gonic/gin/@v/list
    Was this page helpful?