Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Link between SCA Project and Package



  • We have started evaluating the SCA / SBOM function within ProGet. When using pgscan to build/load the SBOM, I see the release and project appearing in the "Reporting & SCA" section -- with a nice breakdown of all imports and associated vulnerability risk.

    As it stands right now, the two locations show conflicting data:

    • the SCA/Project page says that there are vulnerabilities

    but

    • The Package page shows that there are none (persumably since our internally built packages aren't found on any OSS listing)

    Is there any way that these findings can be propagated to the actual Package/artifact within our internal feed?


  • inedo-engineer

    Hi @dan-brown_0128 ,

    It's hard to say exactly what's going on without seeing the specifics, but I think I might know what's going on.

    In ProGet, Projects & Releases are not associated with feeds; only package IDs. This means that, if you have the same package in multiple feeds that have SCA Features enabled, ProGet will pick one of those "at random" and link to in the UI - and I guess this selection is wrong in your case? That is, if you navigate to another feed with that package, it will show the vulnerabilities you are seeking?

    If you disable the "SCA Feature" on the Feed Management page, then it should link correctly.

    Thanks,
    Alana



  • @atripp I've set up a testing app just to experiment with. It currently only exists in one feed

    4e9ae2ce-9a26-48d3-9300-dd9158e6f305-image.png

    In this example, v2013.7.13.4 has issues associated from SCA (one vulnerability from 3 CVE and one missing package)
    53d62278-c6c4-4a11-81d5-5a6c34fbb5e5-image.png

    When I go to that version within the feed, I see no known vulnerabilities. Note we don't have any OSS Index associated with this feed since it's our internally built tools - closed source.

    2784032d-4875-43b7-8a89-bae2f0186b69-image.png

    My thought is that the vulnerabilities listed on the Project + Version/Release level should propagate down to the package in the feed as well. Is that a fair understanding of how it should work?


  • inedo-engineer

    Hi @dan-brown_0128,

    Looking at your screenshot, the vulnerabilities associated with your SCA project come from the jQuery package you are using in ScaTestApp. When using the SCA feature in ProGet, your application dependencies are scanned using pgscan (or any other SBOM tool) and uploaded to ProGet. We can then look at each dependency, check for vulnerabilities, and associate that with the project.

    Your last screenshot looks like you uploaded the ScaTestApp as a Nuget Package. In this case, only the name of the project and the version are sent to OSS Index to see if OSS Inedx has any known vulnerabilities for that package. It does not look at any dependencies, files, etc... for vulnerabilities.

    Please let me know if you have any questions.

    Thanks,
    Rich



  • @rhessinger Thanks for the clarification. Just to be sure - there's no linkage between the SCA Project back to the Nuget package / feed, right? The two modules are basically independent of each other


  • inedo-engineer

    Hi @dan-brown_0128,

    The only linkage between the SCA project and the NuGet package/feed (and other feed types when associated) is that the SCA project will look at all the associated NuGet packages' feeds to pull their relevant license and vulnerability data for each associated package. The then displays that information in the SCA project and creates issues if it finds problems (blocked license, blocked due to vulnerability, missing package, etc...).

    Thank,
    Rich


Log in to reply
 

Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation