Hi @parthu-reddy ,
If you can provide my with some step-by-step instructions (reproduction case), then I can see if if there's a bug in ProGet. However we can't really change the "license file is embedded in the package file" technical requirement.
That said... using custom licenses for blocking package is definitely inappropriate. Please do not do that. It will cause you headaches and probably business disruptions later. There are already tools to prevent users from downloading packages from ProGet, this is not how you want to do it.
The easiest solution here is to align the security team's understanding/expectations align with reality. You don't want to try to configure ProGet in unrealistic ways that will lead to actual problems/risks.
I suspect the security team is conflating "vulnerable packages" with "malware and viruses", so it'd be best to take this opportunity to educate them on how packages / ProGet works.
- ProGet can prevent users from downloading certain packages, but vulnerable packages are freely available on the internet for download.
- A vulnerable package is NOT some a "virus in a lab that can escape" and infect a system
- A package is just a library and cannot run on its own
- If a user has a copy of vulnerable package, they can't use it to "hack" a system with it nor will it cause any harm
- Vulnerable packages simply shouldn't be used as building blocks in your own applications
Thanks,
Alana