Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Integrating ProGet with Vor Security



  • I'm trying to Integrate ProGet with Vor Security.

    I tried the following:

    1. Updated the ProGet to the latest version available (Version 4.6.3 (Build 8))
    2. Updated Extensions.ExtensionsPath with a valid value.
    3. I tried installing the VoR Security extension(though after installation I'm not able to see anything under installed extensions)
    4. Generated API token under the Trial license of Vor Security
    5. Trying to set it as Vulnerability Source in ProGet going to Administration-> Manage vulnerability Sources > Create Vulnerability Source.
    6. UI that is available for Setting Vulnerability Source is completely different as I'm seeing.(following http://inedo.com/support/tutorials/proget/configuring-a-vulnerability-source)
    1. I'm getting Manual Vulnerability Source(allows known packages vulnerabilities to be individually specified and edited manually) only option.

    Am I missing something above?

    Product: ProGet
    Version: 4.6.3 (Build 8)

    Product: ProGet
    Version: 4.6.3



  • This means that the extensions are not properly loading; ensure that the web application has proper permission to write to the ExtensionsTempPath (in the All Settings page).

    Once extensions can load properly, then you will be able to select Vor Security.



  • Hi,

    There are only Extensions.ExtensionsPath(this path have all the permission) but not the Extensions.ExtensionsTempPath present in All Setting page.

    Thanks.



  • Sorry, I was incorrect; there are actually two paths to set.

    Extensions.WebTempPath and Extensions.ServiceTempPath

    Once those are set, the extension can load.



  • I'm able to install the vor security extension after setting path mentioned above.

    After setting above mentioned path, and on run VulnerabilityDownloader, getting runtime issue like "ERROR: Unhandled exception: System.ArgumentException: Assembly VorSecurity was not found. The extension may be out of date, have been deleted, or could not be loaded. ---> System.IO.FileNotFoundException: Could not load file or assembly 'VorSecurity' or one of its dependencies. The system cannot find the file specified."

    Path that I have set:

    Extensions.ExtensionsPath
    Extensions.ServiceTempPath
    Extensions.WebTempPath

    Let me know if I'm missing anything.Thanks



  • In this case, make sure to restart the service. The service is unable to load the assembly which must mean the extension is not loaded.



  • Restarted Service as well, but the same issue.
    Below all path should be unique?

    Extensions.ExtensionsPath
    Extensions.ServiceTempPath
    Extensions.WebTempPath



  • It must be unique. For example:

    Extensions.ExtensionsPath = C:\ProGet\Extensions

    Extensions.ServiceTempPath = C:\ProGet\Temp\Service

    Extensions.WebTempPath= C:\ProGet\Temp\Web



  • Team,

    After setting everything as discussed above, on "Override scheduling and run VulnerabilityDownloader now?" getting a runtime error like:

    ERROR: Unhandled exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

    Let me know if I'm missing something above.



  • That error is not related ; it sounds like a connector issue. Perhaps your internal network is not trusting some certificate on like NuGet.org? With out more information, such as specifically what isn't working, when you get the error, etc, I can only guess.



  • Hi,

    Do vulnerability scan requires SSL connection?If yes than I have configured my proget site over SSL certificate and it should as expected right?



  • This is unrelated.

    When you configure ProGet for SSL, that means ProGet's users communicate with ProGet using SSL (HTTPS instead of HTTP). This has nothing to do with how ProGet communicates to external services.

    Vulnerability scanning uses an HTTPS connection to a third-party website. Your server must not trust that site for whatever reason.



  • My team is looking at using your service to scan packages within an internal Proget server. It appears from the source, in the GetPackageRequestStream method builds a JSON object (VorPackage) that ONLY sends feed type, group, and package name to Vor to check for vulnerabilities. Is there anything else sent to Vorsecuritty to determine vulnerabilities?

    Reference:
    https://github.com/Inedo/progetx-vorsecurity/blob/master/VulnerabilitySources/VorSecurityVulnerabilitySource.cs
    https://inedo.com/support/tutorials/proget/configuring-a-vulnerability-source



  • Correct; that, and the API key, are what get sent over.


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation