Description
We are integrating scanoss-py in our CI environment for automated scanning and SBOM generation, FOSS.
Currently, the OSSKB public API is not working in our setup. We are facing multiple issues depending on the method used.
Issue 1 – SSL Error (scan command)
Command used:
scanoss-py scan . --format cyclonedx --output sbom.json
Error:
SSLError: HTTPSConnection ... certificate verify failed
We also tested after adding corporate root certificate, but the issue persists.
Issue 2 – Direct API upload (WFP)
Generated WFP:
scanoss-py wfp . -o output.wfp
Verified file:
- File exists
- Not empty
- Generated using latest scanoss-py
Curl command used:
curl -X POST "https://api.osskb.org/scan/direct"
-H "Content-Type: application/octet-stream"
--data-binary "@output.wfp"
Response:
{"error":"Missing or invalid file"}
Network Testing
- Tested from corporate internal network
- Tested from external ISP (non-corporate network)
- Same behavior in both environments
- No proxy blocking observed
- No firewall rejection message
Observations
**- Public OSSKB endpoint may have changed
- Possibly authentication/API key is now required
- Documentation does not clearly mention current requirements
- Both scan command and direct upload fail**
Environment
OS: Windows 11
Python: 3.13
scanoss-py: (run scanoss-py --version)
Usage: CLI integration for automated SBOM generation and FOSS
Questions
1. Is the public OSSKB API still available for anonymous usage?
2. Is API key now mandatory?
3. Has /scan/direct endpoint changed?
4. Is there updated documentation for current API usage?
Kindly clarify the correct integration method.
Thank you.
Raghu.
Description
We are integrating scanoss-py in our CI environment for automated scanning and SBOM generation, FOSS.
Currently, the OSSKB public API is not working in our setup. We are facing multiple issues depending on the method used.
Issue 1 – SSL Error (scan command)
Command used:
scanoss-py scan . --format cyclonedx --output sbom.json
Error:
SSLError: HTTPSConnection ... certificate verify failed
We also tested after adding corporate root certificate, but the issue persists.
Issue 2 – Direct API upload (WFP)
Generated WFP:
scanoss-py wfp . -o output.wfp
Verified file:
Curl command used:
curl -X POST "https://api.osskb.org/scan/direct"
-H "Content-Type: application/octet-stream"
--data-binary "@output.wfp"
Response:
{"error":"Missing or invalid file"}
Network Testing
Observations
**- Public OSSKB endpoint may have changed
Environment
OS: Windows 11
Python: 3.13
scanoss-py: (run scanoss-py --version)
Usage: CLI integration for automated SBOM generation and FOSS
Questions
1. Is the public OSSKB API still available for anonymous usage?
2. Is API key now mandatory?
3. Has /scan/direct endpoint changed?
4. Is there updated documentation for current API usage?
Kindly clarify the correct integration method.
Thank you.
Raghu.