Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Integrating ProGet with Vor Security

    Scheduled Pinned Locked Moved Support
    proget
    14 Posts 1 Posters 28 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      I'm trying to Integrate ProGet with Vor Security.

      I tried the following:

      1. Updated the ProGet to the latest version available (Version 4.6.3 (Build 8))
      2. Updated Extensions.ExtensionsPath with a valid value.
      3. I tried installing the VoR Security extension(though after installation I'm not able to see anything under installed extensions)
      4. Generated API token under the Trial license of Vor Security
      5. Trying to set it as Vulnerability Source in ProGet going to Administration-> Manage vulnerability Sources > Create Vulnerability Source.
      6. UI that is available for Setting Vulnerability Source is completely different as I'm seeing.(following http://inedo.com/support/tutorials/proget/configuring-a-vulnerability-source)
      1. I'm getting Manual Vulnerability Source(allows known packages vulnerabilities to be individually specified and edited manually) only option.

      Am I missing something above?

      Product: ProGet
      Version: 4.6.3 (Build 8)

      Product: ProGet
      Version: 4.6.3

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        This means that the extensions are not properly loading; ensure that the web application has proper permission to write to the ExtensionsTempPath (in the All Settings page).

        Once extensions can load properly, then you will be able to select Vor Security.

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          Hi,

          There are only Extensions.ExtensionsPath(this path have all the permission) but not the Extensions.ExtensionsTempPath present in All Setting page.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            Sorry, I was incorrect; there are actually two paths to set.

            Extensions.WebTempPath and Extensions.ServiceTempPath

            Once those are set, the extension can load.

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              I'm able to install the vor security extension after setting path mentioned above.

              After setting above mentioned path, and on run VulnerabilityDownloader, getting runtime issue like "ERROR: Unhandled exception: System.ArgumentException: Assembly VorSecurity was not found. The extension may be out of date, have been deleted, or could not be loaded. ---> System.IO.FileNotFoundException: Could not load file or assembly 'VorSecurity' or one of its dependencies. The system cannot find the file specified."

              Path that I have set:

              Extensions.ExtensionsPath
              Extensions.ServiceTempPath
              Extensions.WebTempPath

              Let me know if I'm missing anything.Thanks

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                In this case, make sure to restart the service. The service is unable to load the assembly which must mean the extension is not loaded.

                1 Reply Last reply Reply Quote 0
                • ? This user is from outside of this forum
                  Guest
                  last edited by

                  Restarted Service as well, but the same issue.
                  Below all path should be unique?

                  Extensions.ExtensionsPath
                  Extensions.ServiceTempPath
                  Extensions.WebTempPath

                  1 Reply Last reply Reply Quote 0
                  • ? This user is from outside of this forum
                    Guest
                    last edited by

                    It must be unique. For example:

                    Extensions.ExtensionsPath = C:\ProGet\Extensions

                    Extensions.ServiceTempPath = C:\ProGet\Temp\Service

                    Extensions.WebTempPath= C:\ProGet\Temp\Web

                    1 Reply Last reply Reply Quote 0
                    • ? This user is from outside of this forum
                      Guest
                      last edited by

                      Team,

                      After setting everything as discussed above, on "Override scheduling and run VulnerabilityDownloader now?" getting a runtime error like:

                      ERROR: Unhandled exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

                      Let me know if I'm missing something above.

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        That error is not related ; it sounds like a connector issue. Perhaps your internal network is not trusting some certificate on like NuGet.org? With out more information, such as specifically what isn't working, when you get the error, etc, I can only guess.

                        1 Reply Last reply Reply Quote 0
                        • ? This user is from outside of this forum
                          Guest
                          last edited by

                          Hi,

                          Do vulnerability scan requires SSL connection?If yes than I have configured my proget site over SSL certificate and it should as expected right?

                          1 Reply Last reply Reply Quote 0
                          • ? This user is from outside of this forum
                            Guest
                            last edited by

                            This is unrelated.

                            When you configure ProGet for SSL, that means ProGet's users communicate with ProGet using SSL (HTTPS instead of HTTP). This has nothing to do with how ProGet communicates to external services.

                            Vulnerability scanning uses an HTTPS connection to a third-party website. Your server must not trust that site for whatever reason.

                            1 Reply Last reply Reply Quote 0
                            • ? This user is from outside of this forum
                              Guest
                              last edited by

                              My team is looking at using your service to scan packages within an internal Proget server. It appears from the source, in the GetPackageRequestStream method builds a JSON object (VorPackage) that ONLY sends feed type, group, and package name to Vor to check for vulnerabilities. Is there anything else sent to Vorsecuritty to determine vulnerabilities?

                              Reference:
                              https://github.com/Inedo/progetx-vorsecurity/blob/master/VulnerabilitySources/VorSecurityVulnerabilitySource.cs
                              https://inedo.com/support/tutorials/proget/configuring-a-vulnerability-source

                              1 Reply Last reply Reply Quote 0
                              • ? This user is from outside of this forum
                                Guest
                                last edited by

                                Correct; that, and the API key, are what get sent over.

                                1 Reply Last reply Reply Quote 0

                                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                                With your input, this post could be even better 💗

                                Register Login
                                • 1 / 1
                                • First post
                                  Last post
                                Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation