ProGet Container Image - Vulnerabilities Unassessed

antonio.oliveira_8481

My organization is in the process of evaluating ProGet, which we would be looking to run as a Linux container. As part of the security evaluation we noticed that all of the vulnerabilities of the latest container version (https://proget.inedo.com/containers/tags/ProductImages/inedo/proget/25.0.10-ci.9/vulnerabilities at the time of writing), as well as earlier container versions listed, are labelled as "? Unassessed". Is there a reason for this?

stevedennis

Hi @antonio-oliveira_8481 ,

proget.inedo.com points to one of our edge node in an ProGet Edge Computing Edition network and is continuously replicating content from our hub server. Currently, we do not support replicating "non-content" (i.e. vulnerability assessments, license assignments, policies, etc.) -- only packages, containers, and assets.

Technically... that vulnerability information should not be displayed at all, since we disabled the feature on the feed. So that must be a bug of some kind.

Long story short, please disregard - we check all this on our central hub, but it's just not replicated to edge nodes.

Thanks,
Steve

antonio.oliveira_8481

Thanks for the response. Does that mean that the container is not susceptible to these vulnerabilities, or that you have assessed the vulnerabilities, but that this assessment status has not been replicated? Based on the package list (https://proget.inedo.com/containers/tags/ProductImages/inedo/proget/25.0.10-ci.9/packages), and the vulnerability details, it would appear that most may be relevant, at least from a package content perspective.

stevedennis

Hi @antonio-oliveira_8481 ,

We have already assessed the vulnerabilities; the container image is not susceptible to any of these vulnerabilities. Only two ports are exposed on the container (for http/https) and the overwhelming majority of packages built-in to the base container image (debian) are not used.

Thanks,
Steve