1. Home
  2. Categories
  3. Support
  4. [ProGet] Malicious package blocking

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

[ProGet] Malicious package blocking

  • M

    Can you please provide further details on the handling of malicious packages? The Inedo Security Labs site (https://security.inedo.com/vulnerability/malicious-packages) states:

    Our research team is constantly monitoring these threats and evolving our detection methods to stay ahead of these attacks. Below is a list of packages that we're aware of and actively blocking in ProGet.

    However I can't find the corresponding documentation for such a feature, only the following which covers vulnerable packages but does not mention malicious packages: https://docs.inedo.com/docs/proget/sca/vulnerabilities

    Specifically, I'd like to know:

    1. What version of ProGet is required to block malicious packages?
    2. What configuration settings are needed to block malicious packages?
    3. Can a block be overridden?
    4. Is the malicious package list retrieved periodically and stored locally on the ProGet instance? If so, how often is this done and is this configurable?
    5. What visibility do we get when a malicious package is blocked?
    0
  • Dan_Woolf
    inedo-engineer

    Hi @MellowOak,

    A quick background on how ProGet handles malicious packages. Malicious packages are treated as vulnerabilities in ProGet. That means that a malicious package will show up as an unassessed vulnerability (since they rarely have a CVSS score) and can be assessed, analyzed, and blocked like any other package with a vulnerability. With that said, most of the time, this blocking is not needed because as soon as they are identified as a malicious package, the public feed will have already removed the package. The only time they are really caught in ProGet is when they have already been downloaded and cached. In ProGet 2026, we are working on a better way to store and distinguish malicious packages separate from vulnerabilities.

    To answer your questions:

    1. All paid editions support the ability to block malicious packages via policies. Please refer to our License Restrictions documentation for edition limitations.
    2. The best configuration for blocking malicious packages is to block all unassessed vulnerabilities. This requires an administrator to review unassessed vulnerabilities regularly on the Reporting & SCA -> Vulnerabilities tab.
    3. Yes a block can be overriden by:
      1. Add an exception in the policy for that package and version
      2. A ProGet admin can set the package status to Always Allow
      3. It could be manually downloaded from the ProGet UI
    4. Inedo's aggregator runs mutliple times a day to pull from all the vulnerability and malicious package sources and creates a custom compresssed database file. As long as ProGet has access to cdn.inedo.com, ProGet will then download that file nightly update it's database. It can be updated under Scheduled Jobs -> Vulnerability Database Updater.
    5. There are multiple ways to gain visibility, but the easiest is to use ProGet's notifier feature to be alerted when a vulnerability to a pacakge.

    Hope that helps to answer your questions! Please let us know if you have any other questions.

    Thanks,
    Dan

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation