Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

ProGet SCA Cannot get NuGet vulnerability scanning to work



  • I've been trying to get vulnerability detection with SBOM scans to work for nuget.org packages, but so far no luck.

    Here is an example SBOM that should pop up on any scan:
    https://privatebin.net/?ca7ad862057815c8#7WzmrR54i6opxoD37dxaE1X7GS67GfcJ79zEps2BTtaS

    Clicking on the package shows that the vulnerability is recognized:
    d4a39602-e956-427a-8447-c4f2d8a16f59-image.png

    The package is also in the package cache, I've manually downloaded it to avoid this issue.

    Yet there is not a single mention of this vulnerability anywhere on the SCA release pages:

    302eb55b-0953-4dcf-b422-86a4a039236d-image.png

    • I have configured the vulnerability sources (both OSS Index and PGVC)
    • I have enabled the vulnerability feature on the feed
    • I have added auto assessment, though I'm not really sure if that is even needed. I am not looking to make download blocking work at the moment.

    Is there something I have missed?


  • inedo-engineer

    Hi @jw ,

    With the way things are "wired up" today, there are some edge cases when this will not show up right away. This is primarily for performance reasons, and it's something we absolutely plan to address in ProGet 2024.

    The "trick" is that the PackageAnalyzer job needs to be run to do some back-end linking in the database; this is typically done on a nightly basis (there is a scheduled job for this), and in practice it's rarely something you'll spot outside of testing.

    For example, after that job runs... if you were to delete then recreate TestProject 1.0.0 by pushing an SBOM, it should show the vulnerability.

    Thanks,
    Alana



  • Hi @atripp

    I tried what you suggested. Here is the output from the PackageAnalyzer job:

    DEBUG: 2023-10-17 11:53:19Z - Fetching list of licenses...
    DEBUG: 2023-10-17 11:53:19Z - Found 327 licenses.
    DEBUG: 2023-10-17 11:53:19Z - Analyzing 1 feeds...
    INFO : 2023-10-17 11:53:19Z - Beginning analysis of nuget-proxy feed...
    DEBUG: 2023-10-17 11:53:19Z - Fetching list of known NuGet vulnerabilities...
    DEBUG: 2023-10-17 11:53:19Z - Found 0 vulnerabilities.
    INFO : 2023-10-17 11:53:19Z - Recorded data for 1 packages in nuget-proxy feed.
    DEBUG: 2023-10-17 11:53:19Z - Analyzing 1 active releases...
    DEBUG: 2023-10-17 11:53:19Z - Analyzing TestProject 1.0.0...
    

    Sadly, no matter what I do (delete and reupload, overwrite, clicking on "analyze" on the Release), the vulnerability is never shown.

    Is there anything else I could try?


  • inedo-engineer

    Hi @jw ,

    One thing to check --- is "vulnerability blocking" enabled on the nuget-proxy feed? That's currently how the SCA Projects know to pick up if a vulnerability issue is desired.

    Thanks,
    Steve



  • Hi @stevedennis

    I have this feed feature enabled:

    204cc206-2ea2-4ad6-8262-1fd5e756b043-image.png

    Or are you referring to the SCA setting "Vulnerability Download Blocking Configuration"?


  • inedo-engineer

    Hi @jw ,

    There is one other setting, under SCA > Vulnerabilities > Download Blocking. Try setting that, then maybe you'll also need to run Package Analysis again.

    Let us know -- we can try to add a few more hints/clues in the UI to make this less confusing, at least as a temporary measure before tying this together better in the back-end.

    Thanks,
    Steve



  • Thank you for the pointers.

    I think I finally got it working, though I must admit I'm still not a 100% sure what combination in what order actually led to success.

    I'm already in contact with @apxltd about your planned SCA changes. I will try to write up what tripped me as part of that feedback.


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation