Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Integrating ProGet with Vor Security

    Scheduled Pinned Locked Moved Support
    proget
    14 Posts 1 Posters 28 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      This means that the extensions are not properly loading; ensure that the web application has proper permission to write to the ExtensionsTempPath (in the All Settings page).

      Once extensions can load properly, then you will be able to select Vor Security.

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        Hi,

        There are only Extensions.ExtensionsPath(this path have all the permission) but not the Extensions.ExtensionsTempPath present in All Setting page.

        Thanks.

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          Sorry, I was incorrect; there are actually two paths to set.

          Extensions.WebTempPath and Extensions.ServiceTempPath

          Once those are set, the extension can load.

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            I'm able to install the vor security extension after setting path mentioned above.

            After setting above mentioned path, and on run VulnerabilityDownloader, getting runtime issue like "ERROR: Unhandled exception: System.ArgumentException: Assembly VorSecurity was not found. The extension may be out of date, have been deleted, or could not be loaded. ---> System.IO.FileNotFoundException: Could not load file or assembly 'VorSecurity' or one of its dependencies. The system cannot find the file specified."

            Path that I have set:

            Extensions.ExtensionsPath
            Extensions.ServiceTempPath
            Extensions.WebTempPath

            Let me know if I'm missing anything.Thanks

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              In this case, make sure to restart the service. The service is unable to load the assembly which must mean the extension is not loaded.

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                Restarted Service as well, but the same issue.
                Below all path should be unique?

                Extensions.ExtensionsPath
                Extensions.ServiceTempPath
                Extensions.WebTempPath

                1 Reply Last reply Reply Quote 0
                • ? This user is from outside of this forum
                  Guest
                  last edited by

                  It must be unique. For example:

                  Extensions.ExtensionsPath = C:\ProGet\Extensions

                  Extensions.ServiceTempPath = C:\ProGet\Temp\Service

                  Extensions.WebTempPath= C:\ProGet\Temp\Web

                  1 Reply Last reply Reply Quote 0
                  • ? This user is from outside of this forum
                    Guest
                    last edited by

                    Team,

                    After setting everything as discussed above, on "Override scheduling and run VulnerabilityDownloader now?" getting a runtime error like:

                    ERROR: Unhandled exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

                    Let me know if I'm missing something above.

                    1 Reply Last reply Reply Quote 0
                    • ? This user is from outside of this forum
                      Guest
                      last edited by

                      That error is not related ; it sounds like a connector issue. Perhaps your internal network is not trusting some certificate on like NuGet.org? With out more information, such as specifically what isn't working, when you get the error, etc, I can only guess.

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        Hi,

                        Do vulnerability scan requires SSL connection?If yes than I have configured my proget site over SSL certificate and it should as expected right?

                        1 Reply Last reply Reply Quote 0
                        • ? This user is from outside of this forum
                          Guest
                          last edited by

                          This is unrelated.

                          When you configure ProGet for SSL, that means ProGet's users communicate with ProGet using SSL (HTTPS instead of HTTP). This has nothing to do with how ProGet communicates to external services.

                          Vulnerability scanning uses an HTTPS connection to a third-party website. Your server must not trust that site for whatever reason.

                          1 Reply Last reply Reply Quote 0
                          • ? This user is from outside of this forum
                            Guest
                            last edited by

                            My team is looking at using your service to scan packages within an internal Proget server. It appears from the source, in the GetPackageRequestStream method builds a JSON object (VorPackage) that ONLY sends feed type, group, and package name to Vor to check for vulnerabilities. Is there anything else sent to Vorsecuritty to determine vulnerabilities?

                            Reference:
                            https://github.com/Inedo/progetx-vorsecurity/blob/master/VulnerabilitySources/VorSecurityVulnerabilitySource.cs
                            https://inedo.com/support/tutorials/proget/configuring-a-vulnerability-source

                            1 Reply Last reply Reply Quote 0
                            • ? This user is from outside of this forum
                              Guest
                              last edited by

                              Correct; that, and the API key, are what get sent over.

                              1 Reply Last reply Reply Quote 0

                              Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                              Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                              With your input, this post could be even better 💗

                              Register Login
                              • 1 / 1
                              • First post
                                Last post
                              Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation