Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Package Vulnerabilities - API



  • Hi,
    Does the API have the functionality to view if a package is vulnerable or not?

    I'm trying to implement a package promotion process but I was to restrict this is the package is vulnerable.

    Thanks,


  • inedo-engineer

    Hey @rick-edwards_9161 ,

    Yes - this would be easiest to do with the pgutil vulns audit command, which we're still working on documenting.

    Description:
      List vulnerabilities associated with a package or project file
    
    Usage:
      pgutil vulns audit [options]
    
    Options:
      --input=<input>      Project to audit for vulnerable packages
      --package=<package>  Name of package to audit for vulnerabilities
      --type=<type>        Type of package to audit for vulnerabilities
                           Valid values: apk, deb, maven, nuget, conda, cran, helm, npm, pypi, rpm, gem
      --version=<version>  Version of package to audit for vulnerabilities
      -?, --help           Show help and usage information
    

    See Getting started with pgutil to learn more.



  • Hi Steve,

    Thanks for your reply.

    Is there an equivalent endpoint to use via the http hosted api?

    e.g. we are referencing our packages using - GET /api/packages/MyNuGetFeed/versions?name=myNugetPackage

    Thanks,


  • inedo-engineer

    Hi @rick-edwards_9161 ,

    There is a corresponding API, but we haven't documented it yet.

    For now, you have to "reverse engineer" the code (ProGetClient.cs):

        public async IAsyncEnumerable<VulnerabilityInfo> AuditPackagesForVulnerabilitiesAsync(IReadOnlyList<PackageVersionIdentifier> packages, [EnumeratorCancellation] CancellationToken cancellationToken = default)
        {
            ArgumentNullException.ThrowIfNull(packages);
    
            using var response = await this.http.PostAsJsonAsync("api/sca/audit-package-vulns", packages, ProGetApiJsonContext.Default.IReadOnlyListPackageVersionIdentifier, cancellationToken).ConfigureAwait(false);
            await CheckResponseAsync(response, cancellationToken).ConfigureAwait(false);
    
            using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
            await foreach (var v in JsonSerializer.DeserializeAsyncEnumerable(stream, ProGetApiJsonContext.Default.VulnerabilityInfo, cancellationToken).ConfigureAwait(false))
                yield return v!;
        }
    

    We do plan to document all this in the coming weeks/months.

    Thanks,
    Steve



  • Brilliant, thank you for your response.

    Am I to assume this is only available in the 2024 version? I'm receiving API endpoint no supported in version 2023.34

    Thanks,


  • inedo-engineer

    @rick-edwards_9161 that is correct, these will only be developed for ProGet 2024


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation