RE: HTTPS with self hosted ProGet and internal web server

There is updated documentation with step-by-step instructions here:

https://docs.inedo.com/docs/installation-windows-https-support#configuring-https-on-the-integrated-web-server

Thank you for the pointers.

I think I finally got it working, though I must admit I'm still not a 100% sure what combination in what order actually led to success.

I'm already in contact with @apxltd about your planned SCA changes. I will try to write up what tripped me as part of that feedback.

Hi @atripp

Once again thanks for the quick fix.

I was actually worried that something got messed up in our database, while trying to fix the duplicate package issues, but so far everything looks good.

Also I should probably start making it a habit of stating that we're still on SQL Server, instead of having you guess. ;)

Hi @dean-houston

Thanks for the implementation.

A remark:
Both delete APIs have a bit odd behavior when it comes to return codes. They both always return 200 OK when anything was supplied, no matter if the project name (and version) matched anything to be deleted or not. Wouldn't 404 be more appropriate for the "I couldn't find anything to delete" case?

Also I would like to renew my wish to automatically deploy a new version of Inedo.ProGet when something in pgutil was changed.

Hi @atripp

Once again thanks for the quick fix.

I was actually worried that something got messed up in our database, while trying to fix the duplicate package issues, but so far everything looks good.

Also I should probably start making it a habit of stating that we're still on SQL Server, instead of having you guess. ;)

There might be a regression from the recent fixes for the issue in this thread.

One of the packages with changed names is Microsoft.NETCore.App.Runtime.win-x64 (the "NetCore" part is different now).

Recent vulnerabilities, like PGV-2576347, are no longer matched to recent package versions.

Flagging stops at the 8.0.2 version but should go up to 8.0.20.

Any chance that these package names are compared case-sensitive against the PGV database which breaks the matching for renamed packages?

Hi,

I've been looking to delete old builds from SCA, but cannot find any API endpoint for that.

All I could find was the option to archive builds, but that is not really what we need.

For projects there is at least the native API Projects_DeleteProject, but in the regular API the delete endpoint is also missing.

Could you add these missing endpoints?

However, as you noticed, the name is overwritten when a package is added to a feed. So, if jquery is the package name stored in the database, that record will be updated to jQuery upon upload of a package.

This was a pretty good hint. So far I've only been hitting the "Download Package" button, which puts the package in the cache, but apparently does not update the name in PackageNameIds. "Pull to ProGet" however seems to update that table and I can fix the old names in the database.

Thank you!

Tested in 2025.15, working as expected now - Thank you!

Hi @atripp

Just tested 2025.15 and the Vulnerability Database Updater does not cause duplications anymore - so thank you for that fix!

A small semi-related issue:

The deduplication during reindex does remove the duplicate entries, but it always leaves the entry with the wrong (old) package name behind.

E.g. when I have no jQuery package in the cache everything looks correct, most likely because the package name is taken directly from the feed:

When I download the package and it gets cached, the database entry seems to take over causing the old package name to be displayed:

Is there any way I can update these packages with changed names to use the newer one?
Maybe this could be an option during reindex?

Hi @stevedennis

I first noticed the issue on our production instance, which is older installation upgraded to 2025.10. The issue is easily reproducible on my test instance, which was just installed from scratch this September.

With database looking like the screenshot above, I ran the feed reindex with both options checked. Unfortunately that seems to clean up the wrong entry, in this case the ID 68622 gets deleted, which still has the old Package_Name.

After reindexing the integrity check is green as expected, but when I run the Vulnerability Database Updater job, the database looks like this afterwards

Running the feed integrity check again, we are back to where we started:

As the title says, after running the Vulnerability Database Updater job, duplicates appear in the PackageNameId table.
This results in the feed integrity checker complaining about the duplicates and suggesting a index rebuild with duplicate cleanup, which does not fix this issue permanently.

As a consequence, we found that in the SCA module the license of the package could no longer be detected, even though clicking on the package still navigates to the package page and shows the license as green.

It looks like packages which had their casing changed in the past are the source of this issue. In our case it happens with the jQuery NuGet package which had the "Q" uppercased.

The first row in the screenshot is present before the Vulnerability Database Updater job ran, the 2nd row appears after:

Microsoft.NETCore.* are also packages causing this issue, apparently the "NET" was uppercased at some point.

According to the NuGet spec, the package id should be handled case-insensitive. There is also this issue in the purl-spec repo.

Is this an issue in our database or something that needs to be fixed on ProGet side?

Just tested the partial updates for licenses. Everything is working smoothly now, so thank you for that.

One issue I noticed:

It looks like there is no cache invalidation after calling _progetClient.UpdateLicenseAsync().

Subsequent calls to _progetClient.ListLicensesAsync().ToListAsync() still return the old data.

The only way to get the API to return the updated data is to reload the /licenses/types page, which seems a bit inconvenient for API usage.

Maybe it would make sense to invalidate the cache on all modifying (Add/Delete/Update) license API calls?