Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Proget Whitesource Package Access Rule doesn't block vulnerable packages



  • I have recently integrated our Whitesource account to Proget to leverage the ability to prevent packages with vulnerabilities from being downloaded. I've gone to a feed and added a Package Access Rule for Whitesource. I expected it to start blocking downloads of the libraries that have been identified as vulnerable but it is not working. Is there a way to troubleshoot the issue and see that Proget is actually calling the Whitesource API?

    I have configured the Endpoint as https://saas.whitesourcesoftware.com/agent. Is that correct or should it be configured for the API (https://saas.whitesourcesoftware.com/api/v1.3)?


  • inedo-engineer

    Hi @bvandehey_9055,

    The URL you are using looks correct. IF you click on the Download button and the package actually downloads, then that verifies that it successfully connected. If it was failing to connect to WhiteSource, you would see a page that looks like this:
    67e1fc0d-3ddf-40d9-bb7b-a417385cb628-image.png

    If you want to verify that ProGet is communicating with WhiteSource, I would just put in a bad value for WhiteSource and attempt to download the package from the ProGet UI. If you get a similar error to above, that verifies the communication to WhiteSource.

    Are you using the Product Name or the Product Token in the Product field in the configuration? I would try to use the product token first.

    If all of that is setup, then it is most likely an issue with the rules set up within WhiteSource.

    Thanks,
    Rich


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation