Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Package Vulnerabilities - API

    Scheduled Pinned Locked Moved Support
    6 Posts 2 Posters 23 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rick.edwards_9161
      last edited by

      Hi,
      Does the API have the functionality to view if a package is vulnerable or not?

      I'm trying to implement a package promotion process but I was to restrict this is the package is vulnerable.

      Thanks,

      stevedennisS 1 Reply Last reply Reply Quote 0
      • stevedennisS Offline
        stevedennis inedo-engineer @rick.edwards_9161
        last edited by

        Hey @rick-edwards_9161 ,

        Yes - this would be easiest to do with the pgutil vulns audit command, which we're still working on documenting.

        Description:
          List vulnerabilities associated with a package or project file
        
        Usage:
          pgutil vulns audit [options]
        
        Options:
          --input=<input>      Project to audit for vulnerable packages
          --package=<package>  Name of package to audit for vulnerabilities
          --type=<type>        Type of package to audit for vulnerabilities
                               Valid values: apk, deb, maven, nuget, conda, cran, helm, npm, pypi, rpm, gem
          --version=<version>  Version of package to audit for vulnerabilities
          -?, --help           Show help and usage information
        

        See Getting started with pgutil to learn more.

        1 Reply Last reply Reply Quote 0
        • R Offline
          rick.edwards_9161
          last edited by

          Hi Steve,

          Thanks for your reply.

          Is there an equivalent endpoint to use via the http hosted api?

          e.g. we are referencing our packages using - GET /api/packages/MyNuGetFeed/versions?name=myNugetPackage

          Thanks,

          stevedennisS 1 Reply Last reply Reply Quote 0
          • stevedennisS Offline
            stevedennis inedo-engineer @rick.edwards_9161
            last edited by

            Hi @rick-edwards_9161 ,

            There is a corresponding API, but we haven't documented it yet.

            For now, you have to "reverse engineer" the code (ProGetClient.cs):

                public async IAsyncEnumerable<VulnerabilityInfo> AuditPackagesForVulnerabilitiesAsync(IReadOnlyList<PackageVersionIdentifier> packages, [EnumeratorCancellation] CancellationToken cancellationToken = default)
                {
                    ArgumentNullException.ThrowIfNull(packages);
            
                    using var response = await this.http.PostAsJsonAsync("api/sca/audit-package-vulns", packages, ProGetApiJsonContext.Default.IReadOnlyListPackageVersionIdentifier, cancellationToken).ConfigureAwait(false);
                    await CheckResponseAsync(response, cancellationToken).ConfigureAwait(false);
            
                    using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
                    await foreach (var v in JsonSerializer.DeserializeAsyncEnumerable(stream, ProGetApiJsonContext.Default.VulnerabilityInfo, cancellationToken).ConfigureAwait(false))
                        yield return v!;
                }
            

            We do plan to document all this in the coming weeks/months.

            Thanks,
            Steve

            1 Reply Last reply Reply Quote 0
            • R Offline
              rick.edwards_9161
              last edited by

              Brilliant, thank you for your response.

              Am I to assume this is only available in the 2024 version? I'm receiving API endpoint no supported in version 2023.34

              Thanks,

              stevedennisS 1 Reply Last reply Reply Quote 0
              • stevedennisS Offline
                stevedennis inedo-engineer @rick.edwards_9161
                last edited by

                @rick-edwards_9161 that is correct, these will only be developed for ProGet 2024

                1 Reply Last reply Reply Quote 0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better 💗

                Register Login
                • 1 / 1
                • First post
                  Last post
                Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation