Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    NuGet.exe 6.8 NuGetAudit integration with ProGet

    Scheduled Pinned Locked Moved Support
    6 Posts 2 Posters 18 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      richard.allen_8963
      last edited by

      Using nuget.org and nuget.exe 6.8.0 (through VS), when I attempt to download a package that contains a security vulnerability, one of the Nuget warnings 1901,1902,1903,1904 are generated and reported in my build.
      When I try to retrieve the same package from a ProGet free Nuget feed, the warnings are not generated.
      I can see if I browse to the package in the ProGet GUI that the security vulnerabilities are recorded correctly already.
      Why are these warnings not returned? Is this (a) because I need to purchase a paid version of ProGet to support it, or (b) because it hasn't been added yet, given that the NuGetAudit functionality was only released in November 2023?
      Thanks v much for anyone who has an answer on this.

      atrippA 1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer @richard.allen_8963
        last edited by

        Hi @richard-allen_8963 ,

        ProGet 2023 will return vulnerabilities when using the audit command and Visual Studio. Here is more information on our general approach:
        https://blog.inedo.com/nuget/vulnerabilities/

        If you're not seeing them, make sure you're using the NuGet v3 API endpoint. That's the one that ends in index.json -- the v2 API does not support vulnerabilities.

        There is a restriction on vulnerability inforamtion in the Free Version, but they are returned in the API.

        Thanks,
        Alana

        R 1 Reply Last reply Reply Quote 0
        • R Offline
          richard.allen_8963 @atripp
          last edited by

          @atripp I have tried switching my package sources between nuget.org and our private ProGet NuGet feed (and we do use version 3 of the API), and it is definitely the case that the warnings appear for nuget.org and not for ProGet. So, my original question is unanswered; is it just the free version which doesn't support this feature in the NuGet client API?

          atrippA 1 Reply Last reply Reply Quote 0
          • atrippA Offline
            atripp inedo-engineer @richard.allen_8963
            last edited by

            Hi @richard-allen_8963 ,

            In ProGet Free Edition, if vulnerabilities are enabled on the feed, a package will a vulnerability will always appear as critical, and the advisory URL will direct you to /vulnerable-nuget-package-info on your instance of ProGet.

            In paid editions, you will get more relevant information and you can assess these vulnerabilities to control them from being displayed as critical.

            I'm not entirely sure how to suggest to debug, but in the API, you should see advisoryUrl
            listed on thePackageDetails` resource, along with deprecation as well, so I would try looking at the API for a sample package, and making sure you can see both deprecation and advisory info

            Thanks,
            Alana

            R 1 Reply Last reply Reply Quote 0
            • R Offline
              richard.allen_8963 @atripp
              last edited by

              @atripp I want to do everything through nuget.exe because this is ultimately what gets called for package resolution within VS and in our CI solution (Team City). It's clear that even though the ProGet API itself may support package vulnerability listing, it doesn't expose that through nuget.exe, at least in the free version, i.e. if I do 'dotnet list package --vulnerable' then no vulnerabilities are reported where nuget.config is set up to reference my ProGet feeds, but it does when referencing NuGet.org.
              I have double checked in the feed configuration that vulnerability features are enabled.

              atrippA 1 Reply Last reply Reply Quote 0
              • atrippA Offline
                atripp inedo-engineer @richard.allen_8963
                last edited by

                Hi @richard-allen_8963 ,

                I'm afraid I'm really not sure how different versions the NuGet client tools behave in different scenarios... just really how ProGet works in implementing the Vulnerabilities information on the NuGet API.

                This API is used by Visual Studio, and in our testing, they show up as we expected -- so if you're not seeing the desired behavior, that's where you'd want to look. Using something like Fiddler, you can see what's being called.

                I do know there is an older, NuGet.org-only API that the tools may be calling. But we only implement the one I mentioned above.

                Best,
                Alana

                1 Reply Last reply Reply Quote 0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better 💗

                Register Login
                • 1 / 1
                • First post
                  Last post
                Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation