Navigation

    Inedo Community Forums

    Forums
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. daniel.lundqvist_1790
    D
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    daniel.lundqvist_1790

    @daniel.lundqvist_1790

    0
    Reputation
    3
    Posts
    1
    Profile views
    0
    Followers
    0
    Following
    Joined Last Online
    daniel.lundqvist_1790 Follow

    Best posts made by daniel.lundqvist_1790

    This user hasn't posted anything yet.

    Latest posts made by daniel.lundqvist_1790

    • RE: Projects, builds and SCA.

      Hi again,

      It seems I can only request trial for Basic Edition. I would like to verify a few things that only exist in Enterprise Edition. How could I request and extension of that?

      Thanks in advance,
      Daniel

      posted in Support
      D
      daniel.lundqvist_1790
    • RE: Projects, builds and SCA.

      Hi,

      Thanks for your response. And apologies for my delayed response, I got sidetracked with things for a while.

      That Builds are tied to SBOM and only to other packages indirectly was the missing link for my understanding. Thanks.

      Besides proxying public repositories for Debian, CentOS, npm and maven we want to have one authoritative place that knows what builds/releases are made up of, and potentially download them from. This is where feeds/connectors and SBOM/SCA come in. I believe feeds/connectors will work fine, I still have some more tests to do there.

      For the products I'm working with I don't think pgutil scan will work out of the box. We would be fine with finding solutions to create/manage SBOM ourselves, if it means we can still use the rest of the functionality.

      Regarding which problems we're trying to solve:

      • One place where we pull packages/dependencies from (possibly curated).
      • One place which is the source what a build/release is (possibly given a SBOM)
      • Fulfill current and coming legislations when it comes to software security and supply chain risk management.

      Given my new understanding on how ProGet operates I believe it would work for us, but there are still a few thing I would to verify. Our trial license expire while I was tied up with other things, would it be possible to get an extension to that?

      posted in Support
      D
      daniel.lundqvist_1790
    • Projects, builds and SCA.

      Hi,

      I'm currently evaluating ProGet and have some questions.

      1. The product I'm working with does not generate packages as such during its build. Rather various archives that contain installation scripts or add-on products that are managed by the base product. I suppose these would be Assets in your terminology. From my understanding Builds can only contain proper packages? And not Assets?

      2. Given above I suppose we could package our artifacts as Universal Packages. I've done that for one artifact but it's not clear how I can add that package to a build. I tried using the web UI but I don't know what "purl" is supposed to look like. Do you have any information about that?

      3. If Universal Package is the way to go, how can I add that during the build with "pgutil"? It seems "pgutil" can only scan for dependencies, and can't see how it would pickup our Universal Packages.

      4. Would SCA be able to scan our Universal Package? It's an archive containing RPMs (among other files) that is to be installed on a server.

      5. From our Universal Package can ProGet detect/correlate dependencies from feeds/connectors?

      Thanks in advance.

      posted in Support
      D
      daniel.lundqvist_1790