Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Proget vulnarability scanning
-
Hi,
I am assessing package managers for use in the company for which i work. One of the requirements is vulnerability scanning. Looking at what is available in ProGet it appears vor security is no longer valid (site is being moved to ossindex which is sonatype who produce nexus repo) and the only alternative is whitesource. Is there something in the pipeline to replace Vor or make other vulnerability scanners compatible or development and inclusion of your own equivalent?Regards
DaveProduct: ProGet
Version: 5.0.10
-
Good question.
Regarding Vor Security, that was a recent acquisition by Sonatype, and it's being transitioned into a new service called OssIndex. Sonatype plans to keep this going for the foreseeable future, and we have verified this with Ken Duck (formerly of Vor Security, now Sonatype employee). ProGet will continue to support it (we are renaming it as well).
Moreover, we are planning to work with Sonatype to better integrate their broader services (vulnerability scanning) with ProGet. We are also investigating Blackduck integration, though we're not entirely sure how it would work with ProGet.
Regarding "developing our own"... broadly speaking, there are two types of vulnerabilities scanning:
- static analysis - analyzing actual code or binaries to look for patterns (buffer overflow, etc); this is done "on your own software"
- repository/database - looking at public databases like NVD, CVE, etc. for vendor- or third-party documented vulnerabilities reported for a known, published piece of software
We don't believe that static analysis has a place in a package manger; there are a handful of tools that can scan your codebase directly for this.
As for repository/databases, it's not really bout "finding" vulnerabilities in software, it's more about "aggregating databases" and then translating those into machine-readable formats. This is what Sonatype, Whitesource, etc., do, and we think more vendors will continue to innovate in this space.
But the "repository" and "scanning" are two different problems, and you should pick the best of both problems; it would almost be like saying "Microsoft makes Office, may as well use Visual Studio and .NET".
ProGet has the extensibility support for this already, so we should be able to integrate with new providers as they come up,