Topics created by am.infrastruktur_3111

Hi @am-infrastruktur_3111 , Chocolatey packages are scanned for viruses, so you will see those pop up. For example, pathdebug 0.3.4 should show up in ProGet's vulnerability system: https://security.inedo.com/vulnerability/details/PGV-2420934 Otherwise, there is unfortunately no standardized/consistent naming for Windows software (unlike APK, APT, RPM, etc), so there's no way to associate a vulnerability report like CVE-2024-21392 with a software package. In this case, Microsoft calls the effected software ".NET 8.0", not .NET or dotnet, etc. In Other reports, they call it ".NET8", etc. And you can see that it translates a little weird n the CVE report as well: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392 ".NET 8.0 affected from 1.0.0 before 8.0.3 " - weird, right? This is a known issue in the industry for many years, and it would need to be address by Microsoft first. It's sadly not on their priority list. Best, Alana

Topics created by am.infrastruktur_3111

ProGet: Vulnerability scanning of Chocolatey feeds Support • • am.infrastruktur_3111

ProGet: Vulnerability scanning of Chocolatey feeds
Support • • am.infrastruktur_3111