Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Integrating ProGet with Vor Security
-
I'm able to install the vor security extension after setting path mentioned above.
After setting above mentioned path, and on run VulnerabilityDownloader, getting runtime issue like "ERROR: Unhandled exception: System.ArgumentException: Assembly VorSecurity was not found. The extension may be out of date, have been deleted, or could not be loaded. ---> System.IO.FileNotFoundException: Could not load file or assembly 'VorSecurity' or one of its dependencies. The system cannot find the file specified."
Path that I have set:
Extensions.ExtensionsPath
Extensions.ServiceTempPath
Extensions.WebTempPathLet me know if I'm missing anything.Thanks
-
In this case, make sure to restart the service. The service is unable to load the assembly which must mean the extension is not loaded.
-
Restarted Service as well, but the same issue.
Below all path should be unique?Extensions.ExtensionsPath
Extensions.ServiceTempPath
Extensions.WebTempPath -
It must be unique. For example:
Extensions.ExtensionsPath = C:\ProGet\Extensions
Extensions.ServiceTempPath = C:\ProGet\Temp\Service
Extensions.WebTempPath= C:\ProGet\Temp\Web
-
Team,
After setting everything as discussed above, on "Override scheduling and run VulnerabilityDownloader now?" getting a runtime error like:
ERROR: Unhandled exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Let me know if I'm missing something above.
-
That error is not related ; it sounds like a connector issue. Perhaps your internal network is not trusting some certificate on like NuGet.org? With out more information, such as specifically what isn't working, when you get the error, etc, I can only guess.
-
Hi,
Do vulnerability scan requires SSL connection?If yes than I have configured my proget site over SSL certificate and it should as expected right?
-
This is unrelated.
When you configure ProGet for SSL, that means ProGet's users communicate with ProGet using SSL (HTTPS instead of HTTP). This has nothing to do with how ProGet communicates to external services.
Vulnerability scanning uses an HTTPS connection to a third-party website. Your server must not trust that site for whatever reason.
-
My team is looking at using your service to scan packages within an internal Proget server. It appears from the source, in the GetPackageRequestStream method builds a JSON object (VorPackage) that ONLY sends feed type, group, and package name to Vor to check for vulnerabilities. Is there anything else sent to Vorsecuritty to determine vulnerabilities?
Reference:
https://github.com/Inedo/progetx-vorsecurity/blob/master/VulnerabilitySources/VorSecurityVulnerabilitySource.cs
https://inedo.com/support/tutorials/proget/configuring-a-vulnerability-source -
Correct; that, and the API key, are what get sent over.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login