Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

  • ProGet 2024: SCA & Build Restrictions

    2
    0 Votes
    2 Posts
    7 Views
    stevedennisS
    Hi @caterina , In ProGet 2024+, the Project Analyzer will give some kind of warning/error and builds 1001+ will be in an "inconclusive" state instead of "Compliant", "Warn", or "Noncompliant" That said, ProGet 2024+ does include capabilities to auto-archive builds through use of status/pipelines, so that might be worth investigating. Thanks, Steve
  • Block package from download

    5
    0 Votes
    5 Posts
    20 Views
    I
    Hi Steve. THX. It works :-) Cheers Paddy
  • Api-Call to get vulnerabilties by package and version

    7
    1
    0 Votes
    7 Posts
    27 Views
    I
    Hi Dan. I have now built a parser that fetches the desired information from the WebApp. Thank you very much for your help. Paddy
  • Default Chocolatey feeds to v2 and v3 enabled

    3
    0 Votes
    3 Posts
    7 Views
    steviecoasterS
    Awesome! Thanks for the quick response on this one!
  • Feed creator wizard - proxy creation error

    3
    0 Votes
    3 Posts
    8 Views
    dean-houstonD
    Hi @michal-roszak_0767 , Thanks for letting us know! Unfortunately the Feed Wizard seems to have some quirky behavior when configuring certain combinations of options, as you've noticed. We are actually in the process of rewriting the new feed wizard to be a bit more simpler (esapecially behind-the-scenes), hopefully in the next couple weeks it'll be in a new maintenance release. In the meantime, if you encounter these errors... I would just create the connectors on the MAnage Feed page. Which it sounds like you've done :) -- Dean
  • SAML Authentication with Microsoft Active Directory

    7
    0 Votes
    7 Posts
    41 Views
    rhessingerR
    Hi @Nils-Nilsson, Glad to hear it's working for you! Also, thanks for the feedback on adding that to our docs, I'll work on getting that added soon. Thanks, Rich
  • Import Artifacts from Artifactory 404 Error

    2
    0 Votes
    2 Posts
    8 Views
    stevedennisS
    Hi @misael-esperanzate_5668, Currently, ProGet uses the nexus-maven-repository-index.gz file to see what artifacts are in a Maven repository, and then downloads the files based on that. So you'll need to enable that index file by doing this, I think: https://jfrog.com/help/r/jfrog-artifactory-documentation/maven-indexer This only applies to Maven indexes, and that file is only used for importing/downloading a feed into ProGet. For other feed types, a different API is used. Good news --- in an upcoming maintenance release of ProGet, we will be shifting to use the Artifactory API directly to import artifacts from a repository. Thanks, Steve
  • OCI support?

    helm oci
    11
    1 Votes
    11 Posts
    71 Views
    apxltdA
    Hey @dan-brown_0128, And of course, the other issue with using SHA Digests is that they are unsortable/unordered, and there's no way to know if you're on an "newer" or "older" version. Git inherently has this same problem -- and users who try to name packages after commit hashes quickly learn how poorly that works :) Looking around, it does look like some registries actually support immutable tags (Ex ECR, Harbor). Some tags make sense to be excluded from immutability - like latest since those are dynamic by intention. ProGet's tags are effectively immutable -- in that you need the overwrite permission. But we also have the Semantic Container Versioning, which takes it a step further and enforces tags. Unfortunately, a lot of users don't use this feature or follow our guidance - and they end up with all the predictable headaches. As an engineer, I'm obviously offended in principle by these bad practices, but more practically... the consequences of this kind of misuse/abuse is Tool Blame. And that means we look bad and don't get a renewal. So, my philosophy/approach as a product vendor is "provide a good solution", not necessary "enough rope to hang yourself". As I mentioned before, OCI Repositories are poorly-designed solution to a misunderstood problem -- and my read is that it's going to be a passing fad. Cheers, Alex
  • OCI Support for Assets

    Locked
    5
    1
    0 Votes
    5 Posts
    27 Views
    D
    Hey @stevedennis - From that quote, I get the sense that the container feeds were implemented by trying to force the process into what was implemented for traditional file-based packages rather than treating container images as a different style of artifact. This would explain why it seems OCI isn't a direct drop in fit -- because other traditional package consumers (pypi, nuget, maven, etc) do not behave the same as OCI. As for the scalability comment - I can see your point if you tried to cram traditional package types into OCI where the client doesn't support that. Could clients like nuget support OCI for downloading the nupkg files? Sure. But they haven't so far as I know. On the shock that for container images that you have to provide the URL to access the image -- that's not all that different than traditional software packages. Just on those traditional package tools you're specifying that URL Prefix as part of the client's configuration. The client may add in some "middle parts" to that url. And actually you do run into that some with docker: If you take the common nginx-ingress image hosted on DockerHub, the image name is just nginx/nginx-ingress which works just fine in docker and kubernetes deployments. Secretly, that full image URL parses out to docker.io/library/nginx/nginx-ingress. Last one -- The URL thing. Take a look at some other common registries, including the public GitHub container registry. For those, the URL is always ghcr.io but they then prefix the image with the User/Org (eg: https://github.com/blakeblackshear/frigate/pkgs/container/frigate/394110795?tag=0.15.1). Truthfully, Proget could do a similar approach: proget.corp/MyOciOrDockerFeed/image/path/here:1.2.3
  • Mirrored Replication

    2
    0 Votes
    2 Posts
    9 Views
    stevedennisS
    Hi @james-woods_8996 , You are correct - in a mirror scenario, either side could publish (or delete) packages, and it would be propagated to the other. Three-way is also possible, but you do that with two two-way relationships, if that makes sense? So it's basically A <--> B + B <--> C, and that means if you publish/delete a version on A it will propagate like A --> B --> C. Thanks, Steve
  • Get Package Policies using ProGetClient

    proget proget-client
    2
    0 Votes
    2 Posts
    11 Views
    stevedennisS
    Hi @pmsensi , Short of using the Native API, I'm afraid we don't have a first-class API to export/import package policies and their related information We may consider adding that after ProGet 2025 is released. Thanks, Steve
  • Get package license with ProGetClient

    proget
    2
    1
    0 Votes
    2 Posts
    15 Views
    stevedennisS
    Hi @pmsensi , The pgutil builds audit command should show the same license information you see in the UI: https://docs.inedo.com/docs/proget/api/sca/builds/analyze The pgutil packages audit command should also provide similar information on a package level. Is that's what you're looking for? Thanks, Steve
  • MinIO Support

    7
    0 Votes
    7 Posts
    35 Views
    gdivisG
    Just to let you know - the PR has been merged and we'll release AWS 3.1.2 on Friday with the fix included. Thank you!
  • Feature request - Feed "Other Settings" editor

    2
    0 Votes
    2 Posts
    19 Views
    atrippA
    Hi @michal-roszak_0767 , Just as an update, we've added this to our roadmap planning for ProGet 2026. We will begin that process later this year, after ProGet 2025 has been released (see road to ProGet 2025). Cheers, Alana
  • Publish a Docker image from Gitlab pipeline using Kaniko to Proget

    proget
    3
    0 Votes
    3 Posts
    8 Views
    P
    Hello @atripp , Thank you for your help. We have an intermediate certificate (proxy), which I think, as you point out, can be the problem. I will clarify with our IT department. Anyway, after reading a little bit more, there is a variable to force Kaniko to use HTTP/1.1. variables: GODEBUG: "http2client=0" After adding that, everything works :) Thank you! Best Regards, Pedro
  • pgutil Access denied

    6
    0 Votes
    6 Posts
    25 Views
    Dan_WoolfD
    Hi @si-peham_2672, As far as I can tell, it looks like there is still a permission issue with the working directory that is preventing file listing. The workaround to use the --input argument seems to get past that issue, so I would continue to use that. For your reference, I did test this locally and on a test server, and both worked without issue. If you are interested, here is a link to our code that is searching for the file (https://github.com/Inedo/pgutil/blob/5001174a4c786bb238e8546d18d82fed71cfcc58/Inedo.ProGet/Scan/DependencyScanner.cs#L114). The SourceFileSystem.Default.FindFilesAsync just calls new DirectoryInfo(folder).EnumerateFiles and then matches against the name. For the Specified argument was out of the range of valid values error, that will be resolved in ProGet 2024.33, which will be released this Friday. If you have any other questions, please let us know. Thanks, Dan
  • Image Scanning

    4
    0 Votes
    4 Posts
    19 Views
    Dan_WoolfD
    Hi @guilherme-silva_2532, The warnings in the blob layer scanner are to be expected in most images. Not every layer includes a file system. The layer scanner scans each layer for an application database. This will vary from layer to layer. There was also a bug released in ProGet 2024.32 that was not recording certain layer scanner results properly. This will be fixed in PG-2943 and will be released in the maintenance release this Friday. This may be why you are not seeing any packages found in this container. Thanks, Dan
  • Feature request - PGUtil Assets creation

    4
    0 Votes
    4 Posts
    18 Views
    atrippA
    @michal-roszak_0767 currently maven2 is a workaround, so it will continue to warm. In ProGet 2025, Maven will create the expected feed type.
  • Feature request - PGUtil "Security" editor

    4
    0 Votes
    4 Posts
    21 Views
    atrippA
    Hi @michal-roszak_0767, This is what I meant by the Security API -- a combination of HTTP Endpoints and pgutil commands. We will consider them for our ProGet 2026 roadmap. So until then you'll need to use the Native API; At this time the Native API is the option. You can also check out @steviecoaster 's PowerShell module, which has some modules that can help https://github.com/steviecoaster/InedoOps Thanks, Alana
  • Question About Vulnerability Assessment Expiry Behavior in ProGet

    10
    0 Votes
    10 Posts
    40 Views
    P
    @rhessinger Cool, thanks for the information. April 18th is great.
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation