1. Home
  2. Categories
  3. Support
  4. Duplicate unassesed vulnerabilities

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Duplicate unassesed vulnerabilities

  • V

    Hi,

    We recently started with the Software Composition Analysis feature of Proget and now have a good overview of the packages we use. We have set all unassesed vulnerabilities on caution so the builds won't fail but we do have a good overview of the vulnerabilities.

    Weekly we clean the NuGet caches and run all our builds but these fail as a lot of assessments seem to reset and block the download. Here is an example but there are many many packages where we need to assess the same vulnerability over and over again which is tedious and in the end undoable.

    afb3b7a0-f2c3-4acd-91bd-6d45ae7a866f-image.png

    0
  • atripp
    inedo-engineer

    Hi @v-makkenze_6348 ,

    I can see that you're using the OSS Index? Did you also add PGVC as a source?

    I didn't review or try to reproduce this particular case yet... but we have seen this "duplicate data" problem happen from time to time with OSS Index. It's a data-quality issue; ProGet maintains an "external ID", and sometimes OSS Index will report duplicate

    ProGet will display the External ID when you click on the vulnerability; that should be unique.

    However, based on the description... I wonder if that's the case here? Does this seem to happen with cached packages only, as they've been removed? Any other insight you could provide would be very helpful, so we can investigate this further.

    Cheers,
    Alana

    0
  • V

    Hi,

    I just added all available sources as I didn't know which one to choose

    • OSS Index
    • PGVC
    • ProGet Vulnerability Central

    For now I removed OSS Index and ProGet Vulnerability Central and only have PGVC
    (not sure what the difference between ProGet Vulnerability Central and PGVC is)

    I set severity for these two vulnerabilities to caution
    GHSA-wc69-rhjr-hc9g : Moment.js vulnerable to Inefficient Regular Expression Complexity
    GHSA-8hfj-j24r-96c4 : Path Traversal: 'dir/../../filename' in moment.locale

    Cleared the NuGet cache and ran a build that uses this package.

    Then I started experimenting with turning things on and off and running the Tasks VulnerabilityDownloader and VulnerabilityDownloader.

    With only PGVC I see only this one but not the other ones
    GHSA-8hfj-j24r-96c4 : Path Traversal: 'dir/../../filename' in moment.locale

    With OSS and PGVC I see 11 vulnerabilities but no duplicates

    With all three I see 12 vulnerabilities and a duplicate for GHSA-8hfj-j24r-96c4
    When I select them they have the same ID but vulnerabilityId in the url is different.

    For now I turned ProGet Vulnerability Central off or should I used that one and turn PGVC off?

    I'm using Version 2022.27 (Build 9)

    0
  • Dan_Woolf
    inedo-engineer

    Hi @v-makkenze_6348,

    When you enable the preview feature for ProGet Vulnerability Central, ProGet will add a vulnerability source name PGVC automatically, but it will not show under the vulnerability sources. It looks like after you enabled that, you added a new ProGet Vulnerability Center (which will default the name to "ProGet Vulnerability Central"). So the ProGet Vulnerability Center source should be left off and can probably be removed. That is definitely what was causing a duplicate vulnerability.

    Thanks,
    Dan

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation