1. Home
  2. Categories
  3. Support
  4. Package Vulnerabilities - API

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Package Vulnerabilities - API

  • R

    Hi,
    Does the API have the functionality to view if a package is vulnerable or not?

    I'm trying to implement a package promotion process but I was to restrict this is the package is vulnerable.

    Thanks,

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    Hey @rick-edwards_9161 ,

    Yes - this would be easiest to do with the pgutil vulns audit command, which we're still working on documenting.

    Description:
  List vulnerabilities associated with a package or project file

Usage:
  pgutil vulns audit [options]

Options:
  --input=<input>      Project to audit for vulnerable packages
  --package=<package>  Name of package to audit for vulnerabilities
  --type=<type>        Type of package to audit for vulnerabilities
                       Valid values: apk, deb, maven, nuget, conda, cran, helm, npm, pypi, rpm, gem
  --version=<version>  Version of package to audit for vulnerabilities
  -?, --help           Show help and usage information

    See Getting started with pgutil to learn more.

    0
  • R

    Hi Steve,

    Thanks for your reply.

    Is there an equivalent endpoint to use via the http hosted api?

    e.g. we are referencing our packages using - GET /api/packages/MyNuGetFeed/versions?name=myNugetPackage

    Thanks,

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    Hi @rick-edwards_9161 ,

    There is a corresponding API, but we haven't documented it yet.

    For now, you have to "reverse engineer" the code (ProGetClient.cs):

        public async IAsyncEnumerable<VulnerabilityInfo> AuditPackagesForVulnerabilitiesAsync(IReadOnlyList<PackageVersionIdentifier> packages, [EnumeratorCancellation] CancellationToken cancellationToken = default)
    {
        ArgumentNullException.ThrowIfNull(packages);

        using var response = await this.http.PostAsJsonAsync("api/sca/audit-package-vulns", packages, ProGetApiJsonContext.Default.IReadOnlyListPackageVersionIdentifier, cancellationToken).ConfigureAwait(false);
        await CheckResponseAsync(response, cancellationToken).ConfigureAwait(false);

        using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
        await foreach (var v in JsonSerializer.DeserializeAsyncEnumerable(stream, ProGetApiJsonContext.Default.VulnerabilityInfo, cancellationToken).ConfigureAwait(false))
            yield return v!;
    }

    We do plan to document all this in the coming weeks/months.

    Thanks,
    Steve

    0
  • R

    Brilliant, thank you for your response.

    Am I to assume this is only available in the 2024 version? I'm receiving API endpoint no supported in version 2023.34

    Thanks,

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    @rick-edwards_9161 that is correct, these will only be developed for ProGet 2024

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation