Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet New Vulnerability scanning removes ability to block a package
-
Hi Support,
We have an issue with the Moq library in NuGet. The Vulnerability assessment is wrong and has a limited list of versions to block.
PGV-2358804: Moq v4.20.0-rc to 4.20.1 share hashed user data
We have confirmed that 40.20.2 and 4.20.69 still have the vulnerability, but we cannot clock these in the new versions of ProGet now. How do we extend the vulnerabilities to block packages that are a problem? I can understand why these versions were missed, as you need to go through the commits that make up the versions and check them for yourself. This is why the ability to block manually on the existing version was so important.
Regards Scott
-
Are you suggesting that the version range we have logged (
≥ 4.20.0-rc & < 4.20.2
) is incorrect? That particular vulnerability is sourced from a GitHub advisory:
https://github.com/advisories/GHSA-6r78-m64m-qwcfIf that's the case, it'd be best to report that to the source so that 40.20.2 and 4.20.69 also show up? It should then be reflected in our database quickly shortly after that.
Otherwise, there are a couple options you can use to block unwanted packages:
- set a package's status to
Blocked
(after downloading it) to manually prevent a download of a package - use a connector filter to prevent all versions of that package, then manually add the ones you permit
We may add other options down the line, but we intend to allow users to modify the vulnerability database (PGVD) since that it synced from security.inedo.com.
Cheers,
Alana
- set a package's status to
-
Hi Alana,
How do we set the package status to blocked? I cannot find this option against these packages, which is what I have been looking for. I remember it being there, but it appears to be gone in version 23.0.31. Also, regarding the above response, do you intend to allow users to modify the vulnerability database or not? The style of the answer indicates no.
Regards Scott
-
Hi @scott-wright_8356 ,
To set a package to blocked, first pull the package to ProGet, then use "Set Package Status". You can then set "Download allowed:" option.
do you intend to allow users to modify the vulnerability database
We do not intend to allow users to modify the database. There are several reasons for this.
- We could not come up with a suitable use case considering the alternative options
- It's not something other security products allow
- It creates a usage/support problem because it's easy to "forget" that the data was edited and then there's a strange behavior
Cheers,
Alana
-
Thank you very much for this, Alana. Very much appreciated.