Navigation

    Inedo Community Forums

    Forums
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. _moep_
    3. Posts
    _
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Posts made by _moep_

    • ProGet SBOM Scan Not Creating Vulnerability Issues for NPM Packages

      Hello ProGet Community,

      I'm testing ProGet 25.0.13 with npm feeds and SBOM scans using pgutil. My goal is to trigger "Build Issues Detected" webhooks when vulnerable npm packages are detected.

      Setup:

      • Docker-based ProGet instance, running on localhost:8888
      • Custom npm feed (npm-test) + npm proxy feed (npm-proxy) pointing to registry.npmjs.org
      • pgutil installed locally, scanning project vuln-demo
      • Vulnerable npm packages like qs@0.6.6 included
      services:
  proget:
    image: proget.inedo.com/productimages/inedo/proget:25.0.13
    container_name: proget
    restart: unless-stopped
    ports:
      - "8888:80"
    volumes:
      - proget_packages:/var/proget/packages
      - proget_database:/var/proget/database
      - proget_backups:/var/proget/backups

volumes:
  proget_packages:
  proget_database:
  proget_backups:

      Steps I took:

      1. Created npm-test feed and published local demo packages.
      2. Initialized npm project with vulnerable package(s):
        npm init -y
npm install qs@0.6.6 lodash@4.17.23 minimist@0.0.8
      3. Ran SBOM scan and audit via:
      pgutil builds scan --source=local-api --input=package-lock.json --project-name="vuln demo" --version=1.0.0
      1. Build shows in ProGet, SBOM published, audit runs, but no vulnerabilities are detected.
      2. Promoted build to "Test" stage.

      Problem:

      Even packages known to be vulnerable (e.g., qs@0.6.6) do not produce any vulnerability issues.
      As a result, the “Issues Opened on Build” webhook never fires, so my FastAPI integration never receives events.

      Proxy feed exists, connector is unfiltered, but ProGet reports:

      No Remote Metadata Provider was found for "pkg:npm/qs@0.6.6"
      Audit/compliance logs: Warn, but Vulnerabilities: None.

      Question:

      How can I get ProGet to correctly identify vulnerabilities in npm packages from my SBOM scans?
      Do I need additional metadata providers, connectors, or configuration for npm feeds to ensure that vulnerable packages trigger issues?

      Thank you in advance for any guidance or configuration examples!

      posted in Support
      _
      _moep_
    • 1 / 1