Supported Protocols¶
This section describes which resources OSA Proxy Go checks and which responses it can modify for each ecosystem.
Summary¶
| Ecosystem | Manifest scanning | Package scanning | Response modification |
|---|---|---|---|
| Maven | Yes | Yes | Removes blocked versions from maven-metadata.xml, updates latest and release. |
| npm | Yes | Yes | Removes blocked versions from metadata, updates dist-tags and tarball links. |
| PyPI | Yes | Yes | Removes blocked links from Simple API pages, rewrites download URLs through the proxy. |
| NuGet | Yes | Yes | Modifies service index and registration metadata, removes blocked versions. |
| Go modules | Yes | Yes | Removes blocked versions from @v/list, proxies module zip and SumDB. |
| Composer | Yes | Yes | Modifies Packagist/Composer metadata and rewrites dist URLs through the proxy. |
| RubyGems | Yes | Yes | Checks RubyGems metadata and downloaded .gem packages. |
| Debian | No | Yes | Packages indexes are not modified. |
| Alpine (APK) | No | Yes | APKINDEX indexes are not modified. |
| RPM | No | Yes | repodata metadata is not modified. |
| Docker | Yes | No | Checks image manifests; manifest lists are used to resolve image manifests and are not sent for checking as separate components. Blob/layer requests are proxied without separate layer checks. Several Docker repositories use subdomains. |
scan-manifest and scan-package¶
scan-manifest enables checking and modification of metadata from which the package manager selects available versions. When a blocking policy is triggered, unsafe versions are removed from the response or marked as blocked when the format supports it.
scan-package enables checking of downloaded artifacts: archives, binary packages, module zip files, .gem, .deb, .apk, or .rpm. If a policy blocks the component, the download is interrupted with the HTTP code from codescoring.block-status-code.
For Debian, Alpine, and RPM, only scan-package is used: system indexes are not modified, so the package manager can still see the version in the index, but downloading the specific package is blocked when it violates a policy.
For Docker, repository configuration does not use scan-manifest or scan-package. OSA Proxy Go checks Docker image manifests. Manifest lists are used to resolve image manifests and are not sent for checking as separate components; blob/layer requests are proxied to the registry.
Maven¶
- Metadata:
maven-metadata.xml. - Packages:
.jar,.war,.ear, and other Maven artifacts. - When metadata is modified, blocked versions are removed and
latest/releaseare updated to the latest allowed version.
npm¶
- Metadata: package JSON metadata.
- Packages:
.tgz. - Blocked versions and related
timeentries are removed from metadata, anddist-tagsare recalculated to allowed versions.
PyPI¶
- Metadata: Simple API pages.
- Packages:
.whl,.tar.gz,.zip, and other Python package archives. - Links to blocked versions are removed, and download URLs are rewritten so downloads go through OSA Proxy Go.
NuGet¶
- Metadata: service index and registration index.
- Packages:
.nupkg. - The client uses the
/nuget-api/v3/index.jsonroute; metadata is rewritten to OSA Proxy Go URLs.
Go modules¶
- Metadata: version list
@v/list. - Packages: module
.zip. - Blocked versions are removed from the version list. SumDB uses
sumdb-registryand theGOSUMDBclient setting.
Composer¶
- Metadata: Composer/Packagist metadata.
- Packages: dist archives
.zip,.tar,.tgz,.tar.gz,.tar.bz2,.tar.xz. - Dist URLs are rewritten to OSA Proxy Go routes. For external dist hosts, use
packages-registryandadditional-packages-registries.
RubyGems¶
- Metadata: RubyGems indexes.
- Packages:
.gem. - Metadata and downloaded gem packages are checked.
Docker¶
- Metadata: Docker image manifest. Manifest lists are used to resolve image manifests.
- Packages: there is no separate
scan-package; blob/layer requests are proxied to the registry. - Docker uses standard
/v2/...and/tokenendpoints, so several Docker repositories are separated by subdomains, not by the first path segment.
Blocking Diagnostics¶
If a package manager does not display the blocking reason, check the corresponding metadata endpoint directly:
curl https://osa-proxy.example.com/npm/lodash
curl https://osa-proxy.example.com/pypi/simple/requests/
curl https://osa-proxy.example.com/maven/org/apache/commons/commons-lang3/maven-metadata.xml
curl https://osa-proxy.example.com/nuget/nuget-api/v3/registration5-gz-semver2/newtonsoft.json/index.json
curl https://osa-proxy.example.com/go/github.com/gin-gonic/gin/@v/list