Import SBOM

Hi,
I'm trying to use the examples for importing an SBOM file but I'm having an issue with security. The command comes from the example at https://docs.inedo.com/docs/proget-api-sca-sbom-import. The following command is being run from powershell.

curl -X POST -H "X-ApiKey: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -H "Content-Type: application/json; charset=UTF-8" -d "@C:\wrkdir\SBOMTest.txt" https://XXXXXX.example.com/api/sca/import

I keep getting the following results but no matter the APIKey I keep getting the error...

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>

I've also used "Invoke-RestMethod" but get the same results. Any ideas?

Thank you,
Paul

That is kind of the process we are looking at but that would mean the developers would update their nuget.config file to access the unapproved feed which would fail on the build server because it can't access that feed. This would lead to there being 2 nuget.config file in use. One for the developers and one for the build server. I'm not sure if you can proxy 2 feeds with one additional feed and that feed would show only the packages available for that user instead of throwing an error if it can't be authorized on one of the feeds.

Thank you,
Paul

Yes, that is what I have setup but the problem is that it seems I will have to have two different build processes. One for the developers on their machines and one for the build server. I am trying to do this without having this situation and am trying to find a way to make this work. Do you have any suggestions.

Thank you,
Paul

Hi,
Looking at the example code located here.
https://docs.inedo.com/docs/proget-sca-ci?_gl=15b25fn_gaMTM0MDMzMTcyOS4xNzA2MTI0NDgx_ga_FNLRKW6N8G*MTcxNTI2MTE5Ni4yMC4xLjE3MTUyNjE2NjIuNjAuMC4w
I am unable to get the pgutil to work within the yaml pipeline. I have used both, the Powershell version and yaml script commands but I get the same error. The following is from the Powershell code.

---

Tool 'pgutil' was reinstalled with the stable version (version '1.0.0').
Could not execute because the specified command or file was not found.
Possible reasons for this include:

• You misspelled a built-in dotnet command.
• You intended to execute a .NET program, but dotnet-pgutil does not exist.
• You intended to run a global tool, but a dotnet-prefixed executable with this name could not be found on the PATH.

---

Any help on getting this work would be great.

Thank you,
Paul

Hi,
I've setup a two tier Nuget feed where feed "A" has a connector setup to Nuget.org and feed "B" is where I promote packages from feed "A". Developers have access to both A and B but the build server only has access to"B". The developers use a Nuget.config in their solution to control where nuget packages come from. The file is part of source control and is used by both the developers and the build server. The problem I have is that the Nuget restore task on the build server fails because it can't access feed "A". To fix this I either need the Nuget restore task to ignore errors which means it will also ignore not finding package errors, so this is not optimum. The other option is to have a different Nuget.config for the build server and another one for the develops. Also not the best solution. This is using AzureDevOps on prem yaml pipelines. Is there a way for this to work or maybe a different setup is needed. Any input would be appreciated.

Thank you,
Paul