Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Is it possible to have feed-specific assessments of vulnerabilities?
-
We have a usecase where one of our internal application wants to utilise our global feeds ability to scan for vulnerabilities and automatic assessment but they want their own feed to do their own assessments that are application-specific.
From what I've understood, scanning is feed-specific and blocking is feed-specific, but assessment is global? Am I missing something?
-
This use case isn't very common (and isn't one we necessarily designed for), so it's not so intuitive to do in the UI. To handle this, you can create a create a second vulnerability source, and then use that source in the UI. Let us know how that goes!
Cheers,
Alana
-
@atripp Sorry, I completely missed your answer here.
I'm wondering, even if I create a second source for vulnerabilities - isn't the vulnerability (and related block or no-block) global? Would dual sources mean that there would be duplicates of each vulnerability? The assessment doesn't seem related to the source, but rather to the vulnerability, or is that only how it appears in the UI?
-
A vulnerability is tied to a vulnerability source (you can see the source name on the vulnerability page), and a vulnerability source is tied to one or more feeds.
So when you create a second vulnerability source, then you'll see two sets of vulnerabilities and be able to assess each vulnerability differently.
Cheers,
Steve
-
Hmm, that didnt work as expected. I added a second instance of OSS-index as a vulnerability source and used that second source on a specific feed. I let the scheduled job run last night and tried to download a package with a vulnerability in another feed but despite the same settings being applied to both feeds, and the same vulnerability source being used I managed to download the vulnerable package in one feed but not the other?
-
That should have worked, but it's of course possible there's a bug.
Can you confirm steps?
Is this basically what you did?
- Create Two feeds (
Feed1
andFeed2
), download a vulnerable package in each feed - Create Two Vuln Sources (
OssIndex1
,OssIndex2
), associate each to each feed - Run the "Vuln Downloader" Job, and see two identical vulnerabilities added to ProGet
- Assess the vulnerabilities differently (1 = Block, 2= Ignore)
- Package should Blocked on Feed1, and allowed on Feed2
I want to make sure we're following the steps you did, so we can test this.
Cheers,
Steve
- Create Two feeds (