Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Api-Call to get vulnerabilties by package and version



  • Hi folks.
    Is there a way to get the vulnerabilities via an api call using a nuget packet and its version?
    I would like the information as in the picture:
    2025-04-10 09_37_57-NuGet.CommandLine 6.8.0.png
    THX Paddy


  • inedo-engineer

    Hi @itadmin_9894 ,

    It doesn't seem to be documented, but we do have a pgutil packages audit command:

    $> pgutil packages audit --help
    
    Description:
      Analyzes a package for compliance issues
    
    Usage:
      pgutil packages audit [options]
    
    Options:
      --package=<package> (REQUIRED)  Name (and group where applicable) of package
      --version=<version> (REQUIRED)  Version of package
    
    Common Options (packages):
      --api-key=<api-key>             ProGet API key used to authorize access
      --feed=<feed>                   Name of feed in ProGet
      --no-connectors                 Only include local (non-connector) package data in results
      --password=<password>           ProGet user password used to authorize access
      --source=<source>               Named source or URL of ProGet
      --username=<username>           ProGet user name used to authorize access
      -?, --help                      Show help and usage information
    
    Examples:
      $> pgutil packages audit --feed=approved-nuget --package=Newtonsoft.Json --version=12.0.3
      $> pgutil packages audit --feed=public-npm --package=@babel/runtime --version=7.25.0
      $> pgutil packages audit --feed=private-pypi --package=Django --version=5.0.6 --filename=Django-5.0.6.tar.gz
    

    Cheers,
    Alana



  • Hi @atripp ,

    THX for your feedback. It looks like that's not what I want. https://docs.inedo.com/docs/proget/api/vulnerabilities/audit
    This method does not provide for the vulnerabilities of the package.
    2025-04-11 06_23_39-VM-One Screen - vc-r-des-04 - Remotedesktopverbindung.png
    Any other ideas?

    Best regards
    Paddy


  • inedo-engineer

    Hi @itadmin_9894

    It looks like you're trying to do a GET request, which is why it's not working.

    You need to POST an array of package identifiers like this:

    POST /api/sca/audit-package-vulns
    [ 
        {
            "name": "NuGet.CommandLine"
            "version": "6.8.0"
            "type": "nuget"
        }
    ]
    

    Cheers,
    Alana



  • Good morning @atripp .
    It looks like this method is not working as I expect it to. As you can see from the following printscreens, the result is different between WebUi and API.
    WebUi.png
    PostMan.png
    Am I using the API call incorrectly?
    Best regards
    Paddy


  • inedo-engineer

    Hi @itadmin_9894,

    Would you be able to share the entire JSON response and exactly what information is missing that you are expecting to see?

    Thanks,
    Dan



  • Hi Dan.
    I have now built a parser that fetches the desired information from the WebApp.
    Thank you very much for your help.
    Paddy


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation