Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
ProGet Unable to publish SBOM from pgutil
-
Hi,
I am trialling the SBOM functionality in ProGet using pgutil builds scan but it errors when trying to publish the SBOM to ProGet.
pgutil builds scan --source=$Source --api-key=$ApiKey --input=$ProjectPath --project-name=$ProjectName --version=$ReleaseNumber Scanning for dependencies in .\REDACTED.csproj... Publishing SBOM to ProGet... Server responded with InternalServerError (500): 547`16`0`Projects_CreateOrUpdateProject`44`The INSERT statement conflicted with the CHECK constraint "CK__Projects__Project_Name". The conflict occurred in database "REDACTED", table "dbo.Projects", column 'Project_Name'. Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 1, current count = 0.Server: ProGet 2025.25 (Build 11)
Database: Microsoft SQL Server 2019
PgUtil: 2.2.7I am able to create a project from the Web UI, but the pgutil error is still present after manually creating the project in ProGet.
-
Hi @Ashley,
I took a look into this error, and the constraint that is failing only checks for the Project_Name to not be an empty string. Based on your pgutil command, I'm guessing
$ProjectNameis set to null or an empty string. Can you verify that$ProjectNameis not null, empty, or whitespace?Thanks,
Dan
-
Hi @Dan_Woolf
I had to restart my computer so I lost my PowerShell variables, but I'm going to say you were correct. I ran it again and didn't get the errors - my bad!
This might be for a separate thread, but after providing the correct inputs
, ProGet thinks every build package is noncompliant, but if I click into one of the packages which takes me to the feed, the package is correctly reporting as compliant.Project Build:
Example Package Feed:
If I analyze my Build again, this is part of the log output (too long to post the entire thing):
Using recently cached (04/05/2026 09:06:59) metadata. Analyzing compliance for Azure.Core 1.47.1... Beginning license rule analysis... Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant Checking MIT against rules... No matching license rules; applying unspecifiedLicense rule (Compliant) License rule analysis complete. Policy "Global" considers aged packages (3 years) Warn The package is not cached or local to any feed; cannot determine Publish Date. Policy "Global" considers recently published (7 days) Noncompliant The package is not cached or local to any feed; cannot determine Publish Date. No policies define a latest patch, so latest patch will not be checked. Analysis resulted in a Noncompliant result. Azure.Core 1.47.1 is Noncompliant Package is Recently Published Using recently cached (04/05/2026 08:35:56) metadata. Analyzing compliance for Azure.Identity 1.14.2... Beginning license rule analysis... Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant Checking MIT against rules... No matching license rules; applying unspecifiedLicense rule (Compliant) License rule analysis complete. Package is deprecated. Policy "Global" considers deprecation Warn Policy "Global" considers aged packages (3 years) Warn The package is not cached or local to any feed; cannot determine Publish Date. Policy "Global" considers recently published (7 days) Noncompliant The package is not cached or local to any feed; cannot determine Publish Date. No policies define a latest patch, so latest patch will not be checked. Analysis resulted in a Noncompliant result. Azure.Identity 1.14.2 is Noncompliant Package Status is Deprecated; Package is Recently Published Using recently cached (04/05/2026 08:35:56) metadata. Analyzing compliance for Microsoft.Bcl.AsyncInterfaces 8.0.0... Beginning license rule analysis... Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant Checking MIT against rules... No matching license rules; applying unspecifiedLicense rule (Compliant) License rule analysis complete. Policy "Global" considers aged packages (3 years) Warn The package is not cached or local to any feed; cannot determine Publish Date. Policy "Global" considers recently published (7 days) Noncompliant The package is not cached or local to any feed; cannot determine Publish Date. No policies define a latest patch, so latest patch will not be checked. Analysis resulted in a Noncompliant result. Microsoft.Bcl.AsyncInterfaces 8.0.0 is Noncompliant Package is Recently Published Using recently cached (04/05/2026 08:35:56) metadata. Analyzing compliance for Microsoft.Bcl.Cryptography 9.0.4... Beginning license rule analysis... Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant Checking MIT against rules... No matching license rules; applying unspecifiedLicense rule (Compliant) License rule analysis complete. Policy "Global" considers aged packages (3 years) Warn The package is not cached or local to any feed; cannot determine Publish Date. Policy "Global" considers recently published (7 days) Noncompliant The package is not cached or local to any feed; cannot determine Publish Date. No policies define a latest patch, so latest patch will not be checked. Analysis resulted in a Noncompliant result. Microsoft.Bcl.Cryptography 9.0.4 is Noncompliant Package is Recently Published Using recently cached (04/05/2026 08:37:50) metadata. Analyzing compliance for Microsoft.Data.SqlClient 6.1.1... Beginning license rule analysis... Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant Checking MIT against rules... No matching license rules; applying unspecifiedLicense rule (Compliant) License rule analysis complete. Policy "Global" considers aged packages (3 years) Warn The package is not cached or local to any feed; cannot determine Publish Date. Policy "Global" considers recently published (7 days) Noncompliant The package is not cached or local to any feed; cannot determine Publish Date. No policies define a latest patch, so latest patch will not be checked. Analysis resulted in a Noncompliant result. Microsoft.Data.SqlClient 6.1.1 is Noncompliant Package is Recently Published Using recently cached (04/05/2026 08:35:57) metadata. Analyzing compliance for microsoft.data.sqlclient.sni.runtime 6.0.2... Beginning license rule analysis... Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant The package is not cached or local to any feed; without package metadata, license detection is limited. No licenses detected on package; applying undectableLicense rule (Warn) License rule analysis complete. Policy "Global" considers aged packages (3 years) Warn The package is not cached or local to any feed; cannot determine Publish Date. Policy "Global" considers recently published (7 days) Noncompliant The package is not cached or local to any feed; cannot determine Publish Date. No policies define a latest patch, so latest patch will not be checked. Analysis resulted in a Noncompliant result. microsoft.data.sqlclient.sni.runtime 6.0.2 is Noncompliant Package is Recently Published; No license detectedFrom a brief look at the logs, i'm guessing this is to do with out recently published rule not being calculated for packages that are yet to be cached locally. We are trialling this prior the the build step, so we can't make the assumption that a particular package version will be cached locally in ProGet when running pgutil scan.
Any help is much appreciated.
Thanks,
Ashley
