RE: ProGet OData V2 API

Hi @stefan-seeland_4753 ,

I'm not totally sure what you mean by that... but to clarify, the API is technically called "NuGet API V2 (OData)" and it could be technically used by anything, but probably is just used by the NuGet client or a script/tool that someone wrote that uses it to query the feed.

There is no information available other than that, so you'd need to disable the feature on the feed (and therefore cause an error on the client) or use some kind of access monitoring tool to see where the query is coming from (IP address, etc).

Cheers,
Alana

Hi @jw ,

This will be fixed via PG-2739 in the next maintenance release (scheduled for Friday).

If you want to fix right away, you can download the .sql file that I attached to the linked issue above and run it against the database. Then the delete will work. Upgrading on top of the patch is fine, but if you downgrade then the patch code is overwrriten.

Cheers,
Alana

Hi @caterina ,

This issue looks very familiar, and I'm almost certain it's a bug we fixed/discovered while testing ProGet 2024 prior to release. Basically, the npm scope was not considered for vulnerability searches during build analysis.

This should not happen in ProGet 2024.

Thanks,
Alana

Hi @matt-wood_5559,

Our solution for Maven builds is to leverage CycloneDX to generate the SBOM, and then upload that SBOM to ProGet: https://docs.inedo.com/docs/proget-sca-java

We had considered reproducing the functionality, but the only way to get dependency information from a Maven project is to create a Maven plugin and "watch" the build as it happens --- and that's already what CycloneDX does very effectively.

If you can think of ways to make it easier to work with pgutil we're very open to that :)

Thanks,
Alana

Hi @matt-wood_5559,

I think I understand what you're asking - basically you'd like to create a feed when some users see one set of packages, but other users see a different set?

This is definitely not possible, and it's simply not something ProGet does from a design standpoint: i.e. "file-system type" granular permissions.

While it might seem convenient or nice to give users "just a single URL" to access, it ends up makes things much more complicated to configure/use/maintain. Basically some users will get random "package not found" errors while others will build fine. It'd be very confusing and big headache.

Instead, it's best to educate on different feeds/repositories, and help them use and request access as needed.

Hope that helps,

Alana

Hi @matt-wood_5559,

I might need a little more information / screenshots with what you're looking at here....

There could be a bug/oversight, etc. Perhps you could walk through steps / show screenshots of what you're seeing? If it's on maven central, we can then repro and take a look

Thanks,
Alana

Hi @matt-wood_5559,

A Maven package's license is determined by the license field in the POM:
https://maven.apache.org/pom.html#Licenses

There are unfortunately no real standards here, and the author can put in anything from a SPDX Code (which is recommended, by the way) to a string like "Apache license" (which probably means apache 2.0, but who knows?).

We would rather not guess what the author might have intended, so ProGet only detects licenses with SPDX codes and then lets you decide how assign which codes to other license types as you come across packages that don't follow SPDX.

However, once you start associating those strings with licenses, it will work for future packages.

Thanks,
Alana

Hi @matt-wood_5559 ,

You should be able to upload any file type. There is a drop down on the upload page, but that's for the popular types and is kind of an example. Typically the fies are uploaded via Maven/CLI anyway, and not the UI.

Thanks,
Alana

@forbzie22_0253 setting the proxy programmatically is not something we currently support or document at this time, but if you're dedicated you could use native API to the newly-developer settings API:
https://github.com/Inedo/pgutil/blob/thousand/pgutil/Settings/ListCommand.cs

It's configured via values in the Configuration table.

@francesco-campanella_3733 thanks for continuing to research this - we just haven't had a chance to look further. Did you try editing the feed settings (especially the Feed Features, which would save a new Feed Config), and then re-saving again? We will fix the bug, I would just like to be able to reproduce it so we know for sure what's causing it :)

@apxltd heard this from a user on the support forums today...

We also came across this issue: https://github.com/dotnet/SqlClient/issues/2378 which suggests it might have started with the recent 5.2.x versions of Microsoft.Data.SqlClient (I did confirm that this is the version Proget is using).

Maybe we can downgrade to 5.1 and see if it helps at all

Hi @jw ,

It's unlikely we will want to add/change this; what you're describing isn't a supported use case, and adding a "second URL" type field that would be empty on nearly every license would be confusing.

Our general recommendation for dealing with non-OSS licenses has been to create a code like DEVEXPRESS or ASPOSE, and treat them as all the others.

If there's more user demand for the particular use case we'll definitely reconsider. For now the licenses are confusing enough :)

Thanks,
Alana

Hi @jw ,

This is not possible; ProGet only stores this portion of the URL and uses that URL fragment for license detection. This is important, because then users won't have to specify every variation of a license URL that packages will present.

Thanks,
Alana

Hi @forbzie22_0253

When the license information is invalid, ProGet will give an error on most API URLS (I think a 400, but I'm not totally sure) and will redirect to license info on Web page URLS.

ProGet will attempt to auto-activate the license key if there is an activation problem; so that may delay the first request.

The bes tway to check for license validity is to visit or use the API, and if it fails with "invalid license" then you know it's invalid.

The /health Page should also display this I believe.

Thanks,
Alana

@forbzie22_0253 when you select "Use Windows Proxy Setting", then ProGet will use the proxy that's configured for the operating system. You can select/set this on the Proxy Settings page.

@francesco-campanella_3733 sorry not seeing the issue yet....one more column

Can you run this?

SELETE Feed_Id, FeedType_Name, FeedConfiguration_Xml FROM Feeds

Screenshot is okay, we can figure the XML from the post above if needed.

You can use Feed_Name instead of Feed_Id, it's up to you -- i want some kind of reference in case I want to ask you to try something in UI

Hi @francesco-campanella_3733 ,

Based on the error message, I'm thinking that one of the feeds has some kind of legacy/odd configuration, and that's causing an error in the API (which is why the library and pgutil aren't working either).

Without looking at your database, I think the easiest way to fix it is to go the Manage Feed page, and then edit/save Feed Features or NuGet settings.

If we saw the results of SELECT * FROM [Feeds], but in particular the FeedConfiguration_Xml column, we could be for sure

Thanks,
Alana

Hi @fabio-xodo_3872 ,

This is not captured in an output variable, but you can control which exit code means success or failure:

Exec MyProcess.exe
(
    SuccessExitCode: "> 0"
);

Another alternative is to write a PowerShell script that captures the output as a variable, if you need to do logic based on multiple codes.

We could always add support for capturing it as an output variable as well.

hope that helps,
Alana

Hi @sebastian,

I took a quick look, but its not a simple cherry-pick; this is a bug in the code that does policy analysis, and there were enough changes between ProGet 2023 and ProGet 2024 in that to make it a bit risky / time-consuming to bring over...

Thanks,
Alana

Just wanted to give a brief update to the issue from @mortenf_3736 that we discussed via the support ticket.

We were never able to get to the bottom of it, but it was entirely related to running on ACA.

Container Setup	VM Setup
Azure Container Apps - Running 4 minimum replicas, max 8 replicas, each 3 cores and 6gb memory	Two D4 (4 cores, 16GB memory) VM with internal load balancer in front between them
Mapped storage from Azure Storage Account v2 Fileshare	Managed Premium Shared Disk, connected to Fail-over Cluster and shared between both VM
Azure SQL Database with 4 cores dedicated	Azure SQL Database Server less, scaling between 0.5 to 4 cores

This doesn't seem to be related to Linux/Docker/Kubernetes, as we have several high-traffic users on Kubernetes clusters without issues like this. However, we have seen a handful of Azure-related problems over the years that manifested in ProGet:

• a bad hard drive that was constantly corrupting packages
• another had really slow disk I/O (one server out of a handful)
• we've seen a buggy storage driver cause some big impacts across some kind of storage configuration

So we believe the issue is the Azure platform itself, similar to the above hardware/software glitches we've uncovered over the past.

We're doing our best to research/identifying issues, and Inedo/ProGet Users aren't the only ones who are experiencing pain like this. Consider this report from a Azure "big data" user:

I have suffered from chronic socket exceptions in multiple Azure platforms - just as everyone else is describing. The main pattern I've noticed is that they happen within Microsoft's proprietary VNET components (private endpoints). They are particularly severe in multi-tenant environments where several customers can be hosted on the same hardware (or even in containers within the same VM.
The problems are related to bugs in Microsofts software-defined-networking components (SDN proxies like "private endpoints" or "managed private endpoints"). I will typically experience these SDN bugs in a large "wave" that impacts me for an hour and then goes away. The problems have been trending for the worse over the past year, and I've opened many tickets (Power BI, ADF, and Synapse Spark).

Other Azure users (who are much more technical than we are) have confirmed that there are indeed severe issues with their SDN infrastructure. Microsoft does appear to be aware of these endemic issues with their platform, and for the time being we simply cannot recommend using Azure's container services for anything that will have any kind of load.

Hope that gives some insight in case anyone stumbles across this thread.

Alana

Hi @forbzie22_0253

The error is incorrect; should say Required property missing: packagePermissions.

Since we don't document that one very well yet, I'd make sure it works with pgutil., and consider capturing traffic. Then, if you have an example we can post on the docs page, happy to add that to the docs.

Here is the client code as an FYI:
https://github.com/Inedo/pgutil/blob/thousand/pgutil/ApiKeys/Create/FeedCommand.cs

Thanks,
Alana

Hi @forbzie22_0253 ,

Some of this is discussed on some recently published docs, but let me summarize some key points.

In general, we recommend using pgutil for programmatic access to ProGet, but HTTP Endpoints may be more appropriate for working with structured data an advanced integration.

If you're using .NET/C#, you may find the Inedo.ProGet library helpful:
https://docs.inedo.com/docs/proget-reference-api#net-library-nuget-package

Overall, we are working towards aligning our HTTP Endpoints and developing new ones using a pgutil-first approach. This means we will prioritize the CLI experience by creating intuitive and self-documenting commands. Then we will use existing HTTP Endpoints and develop new ones to fit those commands.

Thanks,
Alana

Hi @parthu-reddy ,

ProGet 2024.7-rc.1 is now available for your testing/verification

Here is information on how to use it:
https://docs.inedo.com/docs/howto-install-prerelease-product-versions

Please let us know the results!

Hi @arkady-karasin_6391,

I'm afraid we don't have enough information to troubleshoot the problem. The use case you describe (using ProGet as an offline cache) is very common, so it might be some kind of misconfiguration on the npm side or something. I don't realy know.

I would check the npm logs, try to monitor http traffic, etc.

If you can "see" the package in ProGet as a Remote Package, and then download the package from the web page, then the npm client can do the same. The npm API cannot "see" whether it's a local, cached, or remote package, so the package is pulled regardless.

Best,
Alana

Hi @forbzie22_0253,

We don't document the specifics of the Native API, so I'm not sure. Your best bet is to study the underlying Stored Procedure and see what's going on there - that's something we do when needing to use the methods.

That said, this Native API methods have been removed in ProGet 2024 in favor of Create ApiKey:
https://docs.inedo.com/docs/proget-api-apikeys-create

Best,

Alana

Hi @forbzie22_0253 ,

If you're receiving a Manual Activation dialog, then it means ProGet cannot connect to our activation server. That is a requirement in ProGet Free, and it's not possible to work around.

I'm not sure what your use case is, but since you mentioned "several servers", I wanted to clarify that ProGet Free is restricted from connecting to another ProGet server. They basically need to be standalone and not part of the same system.

There is a ProGet Enterprise for Edge Computing Edition that has an activation-less model .

Thanks,
Alana

Hi @parthu-reddy ,

I created a new npm feed and had no problem downloading those package versions via npm.org.
As I mention, ProGet will not issue network errors, so it's definitely something else that's interfering. Hopefully you can find some information from Wireshark.

FYI - in the screenshot you're sharing, I see most of the requests are going to registry.npmjs.org, and not to your proget server.

Thanks,
Alana

Hi @parthu-reddy ,

Unfortunately this will be difficult to troubleshoot.

As the NPM error indicates, this error is related to network connectivity. I'm afraid that neither the npm client nor the ProGet server is able to troubleshoot network problems, so you'll need to use something like Wireshark or another traffic monitoring tool to discover why you're getting that error.

ProGet does not crash with a network-level errors like that, which means it's something else that's causing the error. Most likely it's a load-blancer, firewall, etc.

There is also no reason that package 1.3.1 version or 1.3.0 would fail to download - but if that's indeed what's happening, then it's likely related to whatever device is issuing the network error. I have no explanation for what that would be.

As for the Azure screenshot, it's showing a a 200 (success) message, which means that ProGet is not giving any kind of errors. At least not all the time.

Thanks,
Alana

Hi @parthu-reddy,

Basically you need to upgrade your npm client.

The underlying issue is that your npm code is attempting to use the now-deprecated "quick audit" API. Here is information about this api endpoint:
https://docs.npmjs.com/cli/v10/commands/npm-audit#quick-audit-endpoint

ProGet does not implement this deprecated endpoint and it's unlikely we ever will, since it's only used by old versions of the npm client.

Thanks,
Alana

Hi @edward-a-peng_7759 ,

There are no plans for a "generic" OCI Registry feed type. However, if you can help us understand what value this could add, we can consider building one.

A generic OCI registry seems to be like a "dumb" file system that's built around "dumb" cloud storage like S3, etc. What I mean, it's just files with no context. There is no real visibility into what's stored an OCI registry - it's just a place to store and access unnamed files via digests.

ProGet is a "smart" package and container system, and stores OCI-based container images (i.e. Docker images) in a Docker feed, and Helm charts in a Helm feed. There are so many advantages to this "smart" system vs a "dumb" registry:

• You can browse images and charts in the UI
• Charts and images are "linked" and you can see what charts reference which images
• You can see what packages are used by images
• Vulnerabilities are visible in charts, which packages/containers use, etc.
• You can track downloads and configure permissions and control access

A "dumb" file system obviously couldn't offer any of this - and is one of the reasons people prefer ProGet over ECR, ACR, GCR, etc.

So far as I can tell, it doesn't matter to client tools whether you use ProGet Feeds or a generic OCI registry -- everything works the same with regards to helm, docker, kubernetes, and other supported tools.

Are there any advantages to having Helm charts being stored or accessed in a different manner?

Thanks,
Alana

Hi @rick-kramer_9238,

You could do this via the API; it would involve first Querying Package Versions, and then for each version returned, Setting Package Status. I think it'd be a "relatively easy" script to write - so if you create one that can do it, please share :)

Hope that helps,
Alana

Hi @forbzie22_0253 ,

This refers to Delete Package, which was introduced in ProGet 2023:
https://docs.inedo.com/docs/proget-api-packages-delete

We don't really document/track what Native APIs change between releases, so I'm not really sure: https://docs.inedo.com/docs/proget-api-http#native-api-endpoints

You can do a comparison in the /api/reference page.

Thanks,
Alana

Hi @mortenf_3736 ,

I also mentioned this in your ticket, but the issue you're experiencing is a bit different. In Pawal's case, it's a different error message (both related to the database) and it was happening in ProGet 2023 and ProGet 2024 (yours happened only after upgrade). In addition, his error was happening randomly (high/low traffic), whereas yours seems to be high traffic.

You're also running on ACA and use auto-scaling, and seem to have a very high occurrence of container stop/starts. Anyway, we will continue to troubleshoot your issue in that ticket.

Thanks,
Alana

Hi @philippe-camelio_3885 ,

I looked at this one more closely, and it's behaving as expected.

"any error" means AgentError, CollectionError, or RemediationError. There are many other statuses, and the page doesn't filter on all of them (including NoRoles or Unknown).

The status scenario is complex

If you are curious to the logic

string getStatus()
{
    if (!server.Active_Indicator)
        return Disabled;
    
    if (server.HasNullAgent())
        return Unknown;
    if (!server.HasLocalAgent())
    {
        if (server.AgentStatus_Code == Domains.AgentStatusCode.Error)
            return AgentError;
        if (server.AgentStatus_Code == Domains.AgentStatusCode.Updating)
            return AgentUpdating;
        if (server.AgentStatus_Code == Domains.AgentStatusCode.Unknown)
            return Unknown;
    }

    if (server.RoutineConfigurationUsage_Code == Domains.ServerRoutineConfigurationUsage.None)
        return NoCollection;
    if (!server.HasRoles_Indicator)
        return NoRoles;
    if (server.LatestCollection_Execution_Id == null)
        return Unknown;
    if (server.LatestCollection_ExecutionRunState_Code == Domains.ExecutionRunState.Executing)
        return Collecting;
    if (server.LatestCollection_ExecutionStatus_Code == Domains.ExecutionStatus.Error)
        return CollectionError;

    if (server.LatestRemediation_ExecutionRunState_Code == Domains.ExecutionRunState.Executing)
        return Collecting;
    if (server.PendingRemediation_Indicator)
        return PendingRemediation;
    if (server.LatestRemediation_ExecutionStatus_Code == Domains.ExecutionStatus.Error)
        return RemediationError;

    if (server.ConfigurationState_Code == Domains.ConfigurationState.Current)
        return Current;

    if (server.ConfigurationState_Code == Domains.ConfigurationState.Drifted)
        return Drifted;

    return Unknown;
}

Of course it could be improved, but perhaps another day

Best,
Alana

Hi @philippe-camelio_3885 ,

FYI - I was able to reproduce and fix this, at least the resource resolution portion.

Unfortunately you will still need to have a variable named $Commit and $Repository, but that's a much more complex problem to solve....

This works:

set $Commit = gitlab-vishab;
set $Repository = mast;
Git::Checkout-Code;

Or you could also just set a system-scoped vairalbe with the same name.

This will go in next maintennce release of Otter, which is scheduled May 31, but we can make a pre-release if you'd like.

@philippe-camelio_3885 thanks! We were looking at BuildMaster. It looks like the issue is in Otter after all. We'll get it fixed via OT-509 soon!

Hi @forbzie22_0253 ,

This is not supported for ProGet Free edition at this time; but as long as ProGet is connected to the internet, it will auto-activate.

Thanks,
Alana

Hi @Darren-Gipson_6156 ,

That's great you were able to find the code to change, at least to help find more information. Since you've got that far, I would recommend just bundling it as a zip file and adding the extension to ProGet to try it out:
https://docs.inedo.com/docs/proget-administration-extensions

Let us know if you run into any issues with that; that will probably amke it easiest to iterate, so you don't have to wait for us to build pre-release extensions .

Thanks,
Alana

Hi @pawel-ostrowski_5669 ,

Unfortunately this is going to be tricky to troubleshoot, but in general a timeout will occur because SQL Server is taking too long to respond to a query. This typically related to query performance, but it can also be caused by network issues.

Looking at the stack traces you shared, these are very basic, highly performative queries that would instantly return a single row. There is nothing that should be slowing down those queries, which means could probably rule out query performance.

The fact that the timeouts occur randomly, during heavy and lighter load is also an indicator that it's probably not performance related, and a sign of network issues.

And finally, the fact that you profiled and didn't see any problems is a good sign this is not performance related. That's my current thinking at least.

Otherwise, I'm not familiar with "Attention" events. That must be something done internally by the driver? The SQL Server docs says this:

The Attention event class indicates that an attention event, such as cancel, client-interrupt requests, or broken client connections, has occurred. Cancel operations can also be seen as part of implementing data access driver time-outs.

I'm not sure what that means to be honest, but I found this article that might be of use:
https://www.red-gate.com/simple-talk/blogs/identifying-client-timeouts/

I think this would be worth getting Microsoft's SQL Server team involved, because we really don't know where to go form here, and they would have more experience troubleshooting this (especially if it's network-related) than we do.

Thanks,
Alana

Hi @jw ,

You are technically correct. In retrospect, it's not a perfect design.

However, this behavior is based on most user perception/desire. "Noncompliant / Inconclusive / Error" are all considered "Red" conditions (i.e. bad/blocked, etc.), and to the user they are basically the same thing. "Warn" is a "Yellow" condition (i.e. caution).

A package that would only become "Yellow" if a rule is violated shouldn't turn "Red" if that rule can't be evaluated. So that's why it's Warn.

This addresses one of the major complaints about the "missing packages" problem in ProGet 2023, and the "Red" packages in the ProGet 2024 preview feature.

Thanks,
Alana

Hi @Darren-Gipson_6156 ,

The Netbios mapping is used to convert a username from DOMAIN\username to username@domain.com . You can see how it works in the code here:
https://github.com/Inedo/inedox-inedocore/blob/master/InedoCore/InedoExtension/UserDirectories/ADUserDirectoryV4.cs#L228

I'm not sure if that helps. But before getting integrated authentication working, I would make sure you can login username@company.com and your domain password. Once you can do that, then adding WIA will basically just bypass the password check, but you may need to convert that DOMAIN to company.com

Alana

Hi @Darren-Gipson_6156 ,

This error means that the username being passed from Windows (e.g. MYDOMAIN\jdoe) cannot be found on the domain.

This can mean that the netbios alias domain mapping is incorrect (e.g. MYDOMAIN) or that there are some other issues locating the user in the configured directory. Your best bet is to "play around" with searching and settings under the Advanced settings tab of the Directory (under Admin > Security > edit)

Note you can also try searching for users on that page as well, using the multi-button link in the top-right corner of the page.

In addition, you can see the information about the user by navigating to /debug/integrated-auth, and that might give some kind of clue where to start.

Hope that helps point you in the right direction,

Alana

@jw thanks for the detailed research, this definitely is wrong. We should log the package (I think that was there at one point), but also this should be inconclusive.

We'll get this fixed via PG-2676 in an upcoming maintenance release, hopefully this Friday's or the following :)

Hi @daniel-scati ,

Thanks for sharing this; Debian packages are a "little weird" in they require that qualifier, and it'd be nice if it was a little more intuitive. I wonder if there's an additional qualifier required?

We'd really like to improve the experience. What does this Package look like in the ProGet UI? Can you use the Common Package API to find what information is returned in the purl of the package, when you list it?

Thanks,
Alana

Hi @rick-kramer_9238 ,

You should avoid the OData V2 API; it's been deprecated for many years, it's very slow/bulky, and it will likely have bugs in NuGet client, etc.

If you're getting those warnings, some user/script is making queries that are unsupported by nuget.org.

Cheers,
Alana

Hi @am-infrastruktur_3111 ,

Chocolatey packages are scanned for viruses, so you will see those pop up. For example, pathdebug 0.3.4 should show up in ProGet's vulnerability system:
https://security.inedo.com/vulnerability/details/PGV-2420934

Otherwise, there is unfortunately no standardized/consistent naming for Windows software (unlike APK, APT, RPM, etc), so there's no way to associate a vulnerability report like CVE-2024-21392 with a software package.

In this case, Microsoft calls the effected software ".NET 8.0", not .NET or dotnet, etc. In Other reports, they call it ".NET8", etc.

And you can see that it translates a little weird n the CVE report as well:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21392

".NET 8.0 affected from 1.0.0 before 8.0.3 " - weird, right?

This is a known issue in the industry for many years, and it would need to be address by Microsoft first. It's sadly not on their priority list.

Best,
Alana

Hi @rick-kramer_9238,

In all cases, you'll need to configure ProGet to listen to a certain URL; this basically involves editing the ProGet configuration file, which the web page will do for you (or you can edit yourself).

If you're going to do port sharing (i.e. have multiple applications on the server listen/respond
on port 443 for example), the you also need register the URL and certificate with Windows using the netssh commands.

If you're not doing port sharing (i.e. ProGet is only application listening on 443) then no need to use netsh.

Hope that helps,
Alana

Hi @jw ,

Thanks for the update, that sounds like a decent work-around for the time being. It will likely be a while before we can develop something more generalized.

I'm curious if you looked at any of the audit endpoints/commands in pgutil yet? That's kind of the direction we're thinking it will make sense to go - basically pgutil packages audit --package=myGroup/myPackage --version=1.2.3

I don't know what the HTTP Endpoint is offhand, but that does make sense to add something to PackageInfo, since we have it in the database already pretty easily. We could display a complianceStatus (Compliant, Warn, Noncompliant, Inconclusive, Error) and a complianceDetail string - that's what we have in the database. I think properties are easier to work with than objects... what do you think?

As for Download Package behavior -- we do intend to get the Common Packages API to work with connectors. That involves a lot of refactoring that just didn't make it in ProGet 2024 (only PyPi and Apk were refactored).

Cheers,
Alana

Thanks so much @jw! We'll get these fixed in an upcoming maintenance release via PG-2651

Looks like we forgot to add these after applying permissions on top., and the way our security review works, it prioritizes making sure the pages are secure (versus links), so it's easy to miss.

Anyway we'll try to add that to our new feature checklist... easy to forget to do since we check permissions on the page itself, not on where we link to the page.

@daniel-scati great work finding that :)

The Feed Description is written in the Release Index, and the Debian "Stanza" format is kind of weird like that.

However, newlines should already be replaced...

var desc = FeedCache.GetFeed(this.feedId)?.Feed_Description;
if (!string.IsNullOrWhiteSpace(desc))
    writer.WriteLine($"Description: {desc.ReplaceLineEndings("\n ")}");

A blank line with a space isn't supposed to create a new "stanza", but maybe it is in your version?? We'll look closer; perhaps we should just strip the newline altogether and replace it with a space.

Cheers,
Alana