RE: ProGet and MSSQL license

Hello,

The answer is not completely satisfactory for me.

I assume that it is as you wrote on the forum and my concerns only result from the lack of information on how you communicate with MSSQL and what exactly you store in it.

I need to understand all this in more detail, I have many questions from my business.

We plan for ProGet to become a mirror for thousands of packages, we use RPM, DEB, Docker, Universal, npm, nuget. There will be definitely fewer of our own packages and we will work on them (about 300 packages, each with multiple release versions), mainly docker/universal and here there will be a lot of activities related to CI/CD pipelines (Jenkins). We build several versions of packages a day, mainly for testing. Periodically 1/month, there are releases (group of packages about 50). We need all statistical information for our packages. Preferably for a period of 2-3 years. In terms of mirrored packages, we are only interested in information about security vulnerabilities and where they are further used.

In your information you state that network connections are the bottleneck. I don't understand this completely in times when we have 100G cards, maybe I don't understand the scale on which ProGet is used in other companies.

I would rather point out the performance limitations of MSSQL Express due to the supported number of CPU cores and RAM. (I assume that the number of connections is not an issue due to the use of pool connections).

Can you explain this to me in more detail?

Hello,

I am interested in what situations occur when ProGet Basic (without Otter and Buildmaster) does not have enough MSSQL Experess and we need a different license (CPU/Mem/Disk requirement).

With how many Feeds and their packages did you have to abandon MSSQL Experess and choose a more complete database licensing model?

Please share your cases.

@rhessinger said in Problem with Vulnerabilities in docker with Clair:

You can see extension updates by navigating to Administration > Extensions and then an information block at the top of the page will display that there are extension updates. For the actual changes that were made in the 2.0.1 version of the Clair extension, you can view the 2.0.1 milestone in GitHub for our Clair extension

And how will I know that I have to go to the extension menu to update the extension?
Can ProGet send an email to the "administrator" or display a notification on the main screen like it does when updating ProGet itself?

@rhessinger said in Problem with Vulnerabilities in docker with Clair:

Can you please ensure that your Clair extension is updated to 2.0.1 as well? Some of the fixes required changes to the Clair extension directly. The two issues that were fixed in the extensions:

A separate API call is needed to get the CVSS score
Duplicate vulnerabilities were being returned by Clair

Looking at your screenshots, it seems those issues will be fixed with an extension update.
Thanks,
Rich

Thanks for the info, I'm checking.
How can I make the information about a new extension update more visible?

I upgraded to version 2023.14 (build 17).

1. Automatic vulnerability assignment (score/severity) still doesn't work.

2. Still no information in the Score column.
   
   Wouldn't it be better if this column was named Score/Severity?

3. After some time of operation (several manual scans, changes in the repository, new packages) I get this error.

Hello,

In terms of the Clair error, the indication is "start using Clair v4", and this one is not supported by your software ... Maybe it would be possible to install an optional separate from v2 plugin for Clairv4? Have they already achieved the appropriate stability of the program itself as well as the API.

I will wait for corrections on other topics...

1. I think that the problem concerns discrepancies in the assessment, some solutions are assessed in points, and then it is defined in words Low/Medium/Hight/Critical etc.
   I noticed that when scanning containers you get verbal information (Severity) and therefore it is not properly mapped.
   In my DevSecOps experience, score presentation is not the most important thing, labels are important.

2. Can you expand the Overview to display the Assessment tag information in a new column. Maybe it's worth asking an external CVE database for the actual Score for the docker position? Or maybe within the existing ProGet solution to maintain such a mapping of the CVE number to Score?

3. Thanks for the clarification from Clair. It's logical but hard to figure out.
   However, I'm not entirely sure if it works as you describe.
   I will check and come back with a separate post. It seems to me that we also have the same entry for some resources that are a set of files / e.g. an Alpine image.

4. Handmade assessments are visible but....
   Additional problem, manually set assessment.
   As you can see in the image, I have duplicated vulnerabilities for the same image and event, the same CVE ID is listed once as a marked assessment, and the second time as an unmarked assessment.
   This seems to be a mistake from the point of business logic. If I mark any specific CVE in the assessment as, for example: Critical, it should appear as critical everywhere. Possibly a checkbox to check.

@atripp
The Clair v2 implementation is definitely not enough for these times, in a real business model it is required to scan more vulnerabilities than one solution.

When will it be possible to test the described functionality for version 2024?

As a future user of the paid version, I am interested in using the vulnerability scan provided by the Trivy solution in client/server mode.

https://aquasecurity.github.io/trivy/v0.44/docs/references/configuration/cli/trivy_server/

I have a problem with handling and categorizing (score/assessment/severity) vulnerabilities in feeds with containers.

Despite the set thresholds for assessment, it does not work.

Tested from Clair 2.1.2, 2.1.7, and currently 2.1.8
ProGet versions 2022.26 and 2023.13
Docker Compose ecosystem.

The expectation is to automatically assign the behavior and color label depending on the scores levels.

Additionally, Clair seems to have issues with some blobs.