Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Is it possible to have feed-specific assessments of vulnerabilities?

    Scheduled Pinned Locked Moved Support
    6 Posts 3 Posters 20 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      joacim.svensson_8194
      last edited by

      We have a usecase where one of our internal application wants to utilise our global feeds ability to scan for vulnerabilities and automatic assessment but they want their own feed to do their own assessments that are application-specific.

      From what I've understood, scanning is feed-specific and blocking is feed-specific, but assessment is global? Am I missing something?

      atrippA 1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer @joacim.svensson_8194
        last edited by

        Hi @joacim-svensson_8194 ,

        This use case isn't very common (and isn't one we necessarily designed for), so it's not so intuitive to do in the UI. To handle this, you can create a create a second vulnerability source, and then use that source in the UI. Let us know how that goes!

        Cheers,
        Alana

        J 1 Reply Last reply Reply Quote 0
        • J Offline
          joacim.svensson_8194 @atripp
          last edited by

          @atripp Sorry, I completely missed your answer here.

          I'm wondering, even if I create a second source for vulnerabilities - isn't the vulnerability (and related block or no-block) global? Would dual sources mean that there would be duplicates of each vulnerability? The assessment doesn't seem related to the source, but rather to the vulnerability, or is that only how it appears in the UI?

          stevedennisS 1 Reply Last reply Reply Quote 0
          • stevedennisS Offline
            stevedennis inedo-engineer @joacim.svensson_8194
            last edited by

            Hi @joacim-svensson_8194 ,

            A vulnerability is tied to a vulnerability source (you can see the source name on the vulnerability page), and a vulnerability source is tied to one or more feeds.

            So when you create a second vulnerability source, then you'll see two sets of vulnerabilities and be able to assess each vulnerability differently.

            Cheers,
            Steve

            1 Reply Last reply Reply Quote 0
            • J Offline
              joacim.svensson_8194
              last edited by

              Hmm, that didnt work as expected. I added a second instance of OSS-index as a vulnerability source and used that second source on a specific feed. I let the scheduled job run last night and tried to download a package with a vulnerability in another feed but despite the same settings being applied to both feeds, and the same vulnerability source being used I managed to download the vulnerable package in one feed but not the other?

              stevedennisS 1 Reply Last reply Reply Quote 0
              • stevedennisS Offline
                stevedennis inedo-engineer @joacim.svensson_8194
                last edited by

                Hi @joacim-svensson_8194 ,

                That should have worked, but it's of course possible there's a bug.

                Can you confirm steps?

                Is this basically what you did?

                1. Create Two feeds (Feed1 and Feed2), download a vulnerable package in each feed
                2. Create Two Vuln Sources (OssIndex1, OssIndex2), associate each to each feed
                3. Run the "Vuln Downloader" Job, and see two identical vulnerabilities added to ProGet
                4. Assess the vulnerabilities differently (1 = Block, 2= Ignore)
                5. Package should Blocked on Feed1, and allowed on Feed2

                I want to make sure we're following the steps you did, so we can test this.

                Cheers,
                Steve

                1 Reply Last reply Reply Quote 0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better 💗

                Register Login
                • 1 / 1
                • First post
                  Last post
                Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation