Back to Resources

Puma Scan Professional Sonatype OSS Index Integration

Enabling the Sonatype OSS Index Integration

 
We’re excited about the new integration with the Sonatype OSS Index. The integration will allow software developers, security engineers and DevOps engineers to perform source code scanning and open source component analysis in one tool rather than in multiple tools. To take advantage of this new feature, customers need to do the following:

  1. Register for a Sonatype OSS Index Account
  2. Opt in to the Sonatype OSS Index integration via the Puma Scan Customer Portal
  3. Refresh your product(s) license

Let’s get started!

Creating your Sonatype API Token

Once you’ve registered for a free Sonatype OSS Index Account, an API Token can be generated or regenerated in your Sonatype OSS Index account at: User Settings

Enabling the Puma Scan Sonatype Integration

Please Note! If your Puma Scan Professional License is part of an Organization, please contact the Organization Owner or Manager to perform this step. With Puma Scan Organizations, the Sonatype OSS Index integration is managed at the Organization level. This allows Organizations to perform this step once to enable the integration for all of its Organization Members. Once this step has been completed by your Organization Owner or Manager, continue on to the refresh your license step.
 

After you’ve created your Sonatype OSS Index account and generated an API Token, visit the Puma Scan Customer Portal to provide Puma Scan Professional with your Sonatype OSS Index Information.

  1. Log into your Puma Scan Portal account and click the Integrations link on the My Profile page
  2. Enter the email address used for your Sonatype OSS Index account as well as the API Token that you generated in your Sonatype OSS Index User Settings
  3. Click the checkmark and accept the updated terms and conditions to enable the integration

Please note: If you choose to opt out of the integrations, please click the X. This will inform the Puma Scan Professional products that you don’t want to enable the Sonatype OSS Index feature.
 
Integrations page

The Integrations page is where you can opt in to the Sonatype OSS Index feature.

Refresh your License

Once the Sonatype OSS Index integration is enabled for your account or Organization, refresh your Puma Scan Professional product licenses.

Visual Studio 2017/2019

To refresh your license in Visual Studio 2017 or 2019, visit the Activate License menu item in the Puma Scan extension menu. Click the Choose New License link button and follow the dialog prompts. Once the license has been refreshed, restart Visual Studio.
 
Visual Studio Activate Puma Scan Professional License Dialog

The Puma Scan Professional Activate License dialog in Visual Studio.

VS Code

To refresh your license in VS Code, execute the Puma Scan: Activate License command in the Command Palette or ellipse menu in the upper right-hand corner of VS Code once a document is loaded.
 
VS Code Activate Puma Scan Professional License Command

The Puma Scan Professional Activate License dialog in VS Code.

Server Edition

To refresh your Puma Scan Professional Server Edition license, download a new copy of the license file from the Puma Scan Customer Portal Licenses page. Next, place the file in the appropriate location. Please note: The default license file location is: %appdata%/PumaSecurity/PumaScan. However, you can select a different location as your build pipeline may use a custom location.

Azure DevOps License

To refresh your Puma Scan Professional Azure DevOps Edition license, please visit the Licenses page on the Puma Scan Customer Portal. Select the Copy License To Clipboard button next to the appropriate Azure DevOps Edition license entry.
 
The Copy License to Clipboard button

The Copy License to Clipboard button.

 
Back in Azure DevOps, select the pipeline you would like to update and modify the value of the variable called PumaLicense with the value that is currently copied to your Clipboard. Once updated, save the pipeline.
 
Azure DevOps Pipeline Variables

The Azure DevOps Pipelines Variables tab.

Perform a scan!

Now that your products have an updated license, perform a new scan to ensure that the Sonatype OSS Index capabilities are working. Currently, Puma Scan Professional supports scanning dependencies defined in package.config and .csproj files. Support for scanning package.json files will be added in a future release.
 
Puma Scan Professional End User Edition Scan Results

Puma Scan Professional End User Edition reporting vulnerabilities powered by Sonatype OSS Index.