RE: SPDX license expressions

Thanks @sebastian !! Your RegExFu is impressive

Definitely more robust - so I replaced it, and now we will match that "silly" test case of ((a) OR (b))

Hi @martin-noack_4528 ,

Nice points :)

We added this to our ProGet 2023 roadmap as a "Nice to Have"; we're a little behind on the release now so I don't know if it will make it, but we will reevaluate after 2023.0 is released at that point.

Cheers,
Alana

Hi @sebastian

Just an update; this was committed to the PG2023 code base, and seems to work on a few packages I tried (but I can't find too many).

Basically we just will enumerate the code matches in this Regex: ^\(?(( OR )?(?<code>[0-z-_\.]*))+\)?$

That will catch (a OR b) and a OR b, but if one were to be silly and add ((a) OR (b)) then it would revert back.

Doesn't seem worth getting any more complex than that :)

Hi @js-enthoven_2797,

Unfortunately I'm not very familiar with debugging apt :(

The only one I was familiar with was the InRelease-related error, which you worked around.

Otherwise, I haven't seen these before, but they seem to be warnings, so maybe it's okay and is working? It does say "All packages are up to date".

I don't really know what they mean, or if it's related to ProGet, apt configuration, or the package I searched for the text of these errors ("No Hash entry in Release file"), and there are a lot of suggestions on what to do... they are all different, and I have no idea what might work.

The "Connection timed out" is really strange too. Maybe it's related to proxy, or something? A blank page is to be expected if you have no packages in that scope; otherwise you will see a number of "Paragraphs", one for each package.

Cheers,
Alana

Hi @js-enthoven_2797 ,

This issue is unrelated to internet access or whitelisted URLS.

This is the error message you will get from apt if a private repository does not support the InRelease API endpoint. ProGet does not support this endoint, so you will get this error.

Here is some information about how to bypass this warning in apt:
https://www.linuxfordevices.com/tutorials/linux/fix-updating-from-such-a-repository-cant-be-done-securely-error

Basically you have to explicitly trust the PRoGet repository.

Please let us know if that works,

Alana

Hi @js-enthoven_2797,

I'm not totally certain, but I believe this is the result of the InRelease endpoint (i.e. the clear-signed index) is not being implemented by ProGet.

You can ignore the "weak security information" message, and configure apt to use this repository. If you're using HTTPS, the clear-signed index adds no additional security; it's a vestigial feature these days, and is was designed for when HTTPS wasn't available. You can ignore/override those warnings.

We may implement the InRelease endpoint, but there are some problems/bugs with the way BouncyCastle (the encryption library we use) generates "armored output streams". It's a lot of effort for no real value (other than just not having those outdated errors by default).

Cheers,
Alana

Hi @v-makkenze_6348 ,

I can see that you're using the OSS Index? Did you also add PGVC as a source?

I didn't review or try to reproduce this particular case yet... but we have seen this "duplicate data" problem happen from time to time with OSS Index. It's a data-quality issue; ProGet maintains an "external ID", and sometimes OSS Index will report duplicate

ProGet will display the External ID when you click on the vulnerability; that should be unique.

However, based on the description... I wonder if that's the case here? Does this seem to happen with cached packages only, as they've been removed? Any other insight you could provide would be very helpful, so we can investigate this further.

Cheers,
Alana

So sorry @msimkin_1572 , I just double checked.. the Endpoint URL should be formatted like v3/index.json not index.json.

http://my-internal-server/nuget/InternalLibs/v3/index.json

It "looked" right when I typed it, but I should have double checked. Normally I just copy/paste this from the Endpoint URL in the feed page.

Hi @PMExtra ,

Thanks for the details on this, very helpful :)

We actually recently discovered this too (though a different underlying problem) - it was should be addressed in 2022.27 via PG-2321.

Can you try that and see if it helps? We can investigate further if not.

Cheers,
Alana

Hi @msimkin_1572 ,

Sorry I didn't realize this before... the URL needs to be the Feed Endpoint URL, which would end in /index.json. I also updated the documentation to make this clear.

The URL you have now is the v2 endpoint url, which doesn't have a feed description document.

Hopefully it'll work as soon as you add /index.json to the URL :)

Cheers,
Alana

Hi @kichikawa_2913 ,

PG-2290 was the regression fix, and it was included in ProGet 2022.22

Cheers,
Alana

Hi @philipp-cender_3322 ,

Looks like you're making good progress :)

I ran the command .\inedoagentservice.exe run but the command only stated that it does: "Starting agent connector to the otter-host-fqdn on port 8630"

That's okay to see; it means that its working as expected. I there was an error, you would see it.

But for Source 10.67.0.17 something like a token exception is stated

In the screenshot, it seems okay and doesn't report an error. So I think it's okay?

The exception message is some kind of OS-level error, and I'm not sure what it means exactly. But it's a SSL/TLS issue. In this case, if you search for the text of the error ("Die Anmeldeinformationen, die dem Paket übergeben wurden, wurden nicht erkannt" -- but perhaps English is better), you can probably get some details on how to fix it. It could be some obscure operating system configuration.

If i open otter at Port 8630 (Agent Listener) on Firefox webbrowser i get something like that: PR_CONNECT_RESET_ERROR

It's not possible to "browse" such a connection; the Inedo Agent uses a proprietary, TCP-based binary protocol. So you will always get errors if you try to browse, telnet, etc.

Cheers,
Alana

Hi @msimkin_1572 ,

The blog article was technically incorrect on the arguments, so I changed that.

However, the documentation is updated and should be accurate:
https://docs.inedo.com/docs/proget-feeds-nuget-symbol-and-source-server

Basically, if you have both a nupkg and a snupkg in your folder, then you should only have to use

dotnet nuget push kramericalib.4.1.2.nupkg  --source https://proget.kramerica.corp/nuget/internal-nuget

The .snupkg file will be stored on the same feed.

The symbol server url hasn't changed (it's still /symbols/feed).

hope that helps :)

Hi @cjchambers_1799 ,

Thanks for clarifying that; that handler outputs logs in plain text format (content-type is like txt/plain or something like that, not html).

That url is intended mostly to download/export the log files for APIS and other tools, but we put it in the UI for discoverability. And sometimes it's convenient to CTRL-F everything.

Since it's plain-text, it's not possible to do any kind of formatting (even a user-style sheet). But I guess you could CTRL-F [Error] or something, and it will "highlight" it in the browser at the least.

Cheers,
Alana

Hi @cjchambers_1799 ,

I'm not entirely sure what screen that is.....I think the execution-in-progress page (with the moving bar)?

So you're using the built-in Dark Mode then? Can you (temporarily) try switching to Light Mode, just to make sure it's showing up in the proper/expected colors?

If that's the case, likely just a CSS bug/fix we need to make :)

I didn't test yet, but just want to be sure I know we're looking at right thing.

Cheers,
Alana

Hi @cjchambers_1799 ,

Log entries are stored with an associated log level (error, warning, info, debug), and when you Log-Error it writes that item to the log with an error level.

When displaying log entries, error-level entries are displayed in Red, warning are in Yellow, and Debug is in Light-Grey.

So, I think this already behaves the way you are asking.

Cheers,
Alana

Hi @jw ,

In ProGet 2023, we are recording a "publish user" when a package is published. I'm not sure how we will show/expose this (probably history page for now), but that's really easy to change once we collect the data.

We're really hoping to get to get 2023.0 released later this month :)

Cheers,
Alana

Hi @Justinvolved ,

That error message is coming from here:
https://github.com/Inedo/inedox-git/blob/master/Git/Git.InedoExtension/Operations/CanonicalGitOperation.cs#L73

Basically, it means that value you've specified for From is not a known Secure Resource. It's not a common error, and is likely the result of deleting/re-adding something.

I would remove the From argument from your OtterScript altogether (just leave it as Git::Checkout-Code;). I don't think you need it. Your build should already associated with a repository, branch, and commit.

Cheers,
Alana

Hi @Justinvolved ,

Looks like there's a Visual Editor bug with Exec statement; we'll investigate/fix ASAP .

But as for the Git, you mention it's happening during an execution (i.e. build process)? Anyway, can you share more of the execution log?

Are you able to browse the Git repository in the Web UI okay?

If that's the case, the error is on the build agent (or BuildMaster server) in the service process. That uses a different set of local repositories than the Web UI. There may be a troubleshooting step we can take to manually clear the local repository (on the service-side), but Id like to gather more info

Cheers,
Alana

Hi @philipp-cender_3322 ,

The "inbound connection" is complex and a relatively new feature, and I don't have a ton of experiencing troubleshooting - so I'll do my best :)

So far, everything looks okay to me.

On the Otter Server, are you seeing any errors related to the server under Admin > Diagnostic Center? I see the server is in an "Error" state.

On the remote server, does the service stay running? If so, that's indicating it's able to establish a connection. But one thing you can try is to stop the service, and run in interactive mode (i.e. run InedoAgentService.exe run on the commandline). That will show you information about the connection.

Cheers,
Alana

@e-rotteveel_1850 thanks for explaining that, that's great to know!

Sometimes it's almost impossible to learn how these feed/package types are actually used, especially since we don't develop in those languages and really just focus mostly on API reverse-engineering ;)

FYI We are targeting late April for 2023.0 release

Hi @jim-borden_4965 !

I think that the "delete old versions" option of Retention Rules might be what you're looking for; that will let you keep the last "X" versions of each package. That, in combination with "unused versions" (i.e. not recently downloaded) typically cover nearly all desired retentions.

As far as a "feed independent" API, that's on our list as a "nice to have", and I don't know how much of an API we'll get in the first version of ProGet 2023. The "hard part" is usually specifications/docs, so if you have any ideas we'd be very open!

Currently, our idea is base it off of the upack api:
https://docs.inedo.com/docs/upack-feed-api-endpoints

Some things will be more difficult (or impossible?) than others. Especially for multi-platform package types like ruby, python. But TBD.

Cheers,
Alana

Hi @hashim-abu-gellban_3562 ,

I haven't set up Clair (v2) recently... but a little while back (as part of a ProGet regression test), I did set it up and it worked. I remember it wasn't very straight-forward and I had to redo a few things because I fat-fingered some of the Docker commands.

I'll see if I can some additional help on this, please stay tuned...

Cheers,
Alana

Hi @dhurley_5516

How to enable download statistics (disabled by default and we need enabled)

This is controlled by restrictPackageStatistics property.

How to support both ODATA (v2) and JSON-LD (v3) (default is only ODATA (v2))

There's no property for this; however it should be enabled by default (it is not). We can also add this as useApiV3

Which property in JSON controls the "Remove signature file" option (enabled by default but we need disabled)

There's also no property for this....; however it IS currently disabled by default . We can also add this as stripSignature

I made these changes as PG-2317, and they'll be in ProGet 2022.27 (which should ship next Friday).

Hi @hashim-abu-gellban_3562 ,

Currently ProGet works with Clair v2. Unfortunately, Clair v4 (there is no v3 by the way) is basically a "different product" and the API is completely different. The vulnerabilities that are scanned/reported are the same, it's really just the back-end. We are exploring updating to v4 (a major change) or just creating our own container scanner for PGVC; both are major undertakings.

That being said, it sounds to me like Clair v2 is currently running okay.

What's really through us off is the error message that you're getting...

Fetching updates for Clair_Index_Docker...
Persisted object is not a VulnerabilitySource.

That's an internal error to ProGet, and basically ProGet is failing to even try to query Clair. This must be a new regression (there are some new preview features for vulnerabilities), but we just can't figure out how you are getting that particular error message.

Essentially, it means the configuration in the ProGet database is incorrect; the Configuration_Xml column from select * from VulnerabilitySources should look something like this:

<Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource Assembly="Clair">
  <Properties ApiUrl="http://localhost:6060/" AuthenticationHeader="MySecretKey" />
</Inedo.Extension.Clair.VulnerabilitySources.ClairVulnerabilitySource>

Any insight or more information would be really helpful - especially if you can query the ProGet database to see what's in the table.

This is why Rich asked if you can "edit" the Vulnerablity Source in the ProGEt UI, because that should give the exact same error if the config is invalid.

Thanks

Hi @mhdos_4222 ,

I'm not sure if that's related (and it was, why changing network would have any impact last time).

When the current user is not authorized to perform the required task in a Docker feed, this is code that ProGet runs:

string[] scopeParts = new[] { "repository", fullRepositoryName, ex.SecuredTask == (int)ProGetSecuredTask.Feeds_ViewFeed ? "pull" : "push" };
context.Response.AppendHeader("WWW-Authenticate", $@"Bearer realm=""{authUrl}"",service=""{context.Request.Url.Host}"",scope=""{string.Join(":", scopeParts)}""");
WriteError(context, new DockerException(401, "UNAUTHORIZED", ex.Message), feed, w =>
{
    w.WriteStartObject();
    w.WritePropertyName("Type");
    w.WriteValue(scopeParts[0]);
    w.WritePropertyName("Name");
    w.WriteValue(scopeParts[1]);
    w.WritePropertyName("Action");
    w.WriteValue(scopeParts[2]);
    w.WriteEndObject();
});

I do know that the Docker authentication stuff is very sensitive/complex, and I don't think anyone can answer why ProGet writes pull instead of pull,push. But whatever we're doing now works...

This code has basically been the same for about five years now, and we don't want to just change it because that will probably cause something to break.

Do you have any documentation/evidence/specs or anything that points to pull,push being a correct response?

Thanks,
Alana

Hi @mhdos_4222 ,

I'm afraid I'm not sure how to help troubleshoot this very well; behind the scenes, the server (i.e. ProGet) side of things is fairly simple. Images are basically just manifest files and blobs, and ProGet will add those to the repository when receiving commands to a somewhat basic REST API.

What I would do is use a tool like Fiddler to capture the HTTP traffic between the client and server, and see if you can identify if there are any failed or missing requests. For example, maybe the client is never uploading 3cc66... for some reason. Or perhaps, the request is getting "eaten" but your ingress-controller for some reason.

I would also try to take your somewhat complicated configuration out of the equation, and just go with the most basic setup possible, like this: https://docs.inedo.com/docs/proget-how-to-install-on-aws-lightsail

You can then compare/contrast the HTTP traffic and find where there are issues.
Cheers,
Alana

Hi @e-rotteveel_1850 ,

Sorry but I had this mis-categorized internally , so I didn't see the reply.

This actually requires a fair amount of under-the-hood changes, because of the way we maintain an index of the conda packages in a SqlLite database. It's not terrible, but it's also not complex.

This was added as a "nice to have" in PG2023 :)

Cheers,
Alana

Hi @sebastian ,

FYI; for now, we'll plan to add support for OR when reading a SPDX from a manifest; we'll add this to the "nice to haves" in PG2023!

Cheers,
Alana

Hi @e-rotteveel_1850 , sorry I missed the notification on this b/c of how I categorized this.

Yes.. Q2 (late April for now) is the current plan, though this is something we would likely do after the main release.

Hi @falk-winkler_2111 ,

I believe in this case, you'll just enter the access token as the password, and select "Bearer" as the authentication type.

Cheers,
Alana

@ade8s_7742 so glad to hear that! It's really rare, but glad it wasn't database corruption!!

Hi @doejohn_7742 ,

The underlying error message "Invalid object name 'dbo.RpmPackages' is implying that there's something pretty wrong with the database; in this case, a missing table (RpmPackages).

If that's the case, it wouldn't be easy to fix or troubleshoot unfortunately, and would require SQL expertise, etc. We don't have any general advise for this, but we may be able to help some paid users depending on the issue (it's quite time consuming as you can imagine).

HOWEVER -- it could also be something really simple, like your username (i.e. set in the connection string when you upgrade) is in the wrong schema (needs to be dbo schema), so I would check that too. Our script is supposed to detct that, but sometimes it doesn't work.

Cheers,
Alana

Hi @darturow_6059 ,

I think the equivalent to a "Generic Repository" would be ProGet's asset directory:
https://docs.inedo.com/docs/what-is-an-asset-directory

However, there is no "connector" possible, except to another ProGet asset directory.

Cheers,
Alana

Thanks for clarifying @avaleriusdebeffort_3858

In this case, please do not monitor the console output. There is no useful information that you will gather from that, and it's entirely a diagnostic tool. It cannot be adjusted

If you wish to monitor the health of ProGet, please check the /health API endpoint. That will contain all of the information that you need.

@avaleriusdebeffort_3858 what do you want to log? You can enable more detailed logging on ngnix... but otherwise, in ProGet, we don't have any more detailed logging available for end-users to troubleshoot.

Hi @Justinvolved ,

We don't currently have that type of monitor/trigger, but it's something we'd like to support in the future... in addition to new triggers like for Docker images, etc. Our extensible ResourceMonitor Feature is capable of handling this, but it just needs to be coded.

If you're interested, it'd be relatively easy...

• Create a create a class called PackageVersion that will store latest version number of a package (like Revision Number on SvnRepositoryCommit.cs)
• Create a resource monitor that queries for package versions (like how SvnRepositoryMonitor.cs monitors paths)

Hope that helps !

Cheers,
Alana

Hi @mhdos_4222 ,

Sorry, I must be confused.

Is the image actually pushed? It's not very clear from the logs, but it looks like it's working after you login? You wrote:

The push command was executed after successfully logging into our self hosted Proget.

A 401 basically just means the credentials are incorrect or not sent, and I really can't tell from the logs what's happening or not happening.

If things used to work before, do you know what was changed ? It's just hard to guess from the information we have here.

Hello,

ProGet will issue a 401 (Unauthorized) when the request has not been authenticated or if the authenticated credentials are not correct.

We don't have instructions or troubleshooting steps for nerdctl, but in the docker client you will use a login first., before a push.

Here's some more info:
https://docs.inedo.com/docs/proget-docker-private-registries#creating-and-using-a-docker-registries-in-proget

Cheers,
Alana

Hi @OtterFanboy ,

Thanks for the feedback and for finding additional bugs; I just fixed these as BM-3826 - at least I think.

1. Files was definitely broken (I must never have tested it last time)
2. That was probably related to something else (syncing issues?)... but hard to say; in theory, it should give a "red error box" when there's a problem w/ Git instead of a 500
3. This flow was using the wrong properties to create the resource name
4. Same

I also corrected the "new application flow" so that Rakko will do a "repository detection" to help select a pattern to use.

Let us know if you find other UI bugs (browsing, etc.) with the "Generic Git" repository; it should work the same as Git-service integrations, but we didn't do very good regression testing on it.

Hi @Bob_4018 ,

Thanks for the heads-up! We've resolved this, and the link should now work:

http://cdn.inedo.com/downloads/otter/OtterInstaller22.0.9_Offline.exe

Cheers,
Alana

Hi @martin-helgesen_8100 ,

You can aggregate multiple feeds using connectors:
https://docs.inedo.com/docs/proget-feeds-connector-overview

If you want to put all the packages in one feed, then after adding the connector you can use a "feed downloader":
https://docs.inedo.com/docs/proget-feed-importing

Cheers,
Alana

Hi @jim-borden_4965 ,

It looks like that isn't supported; but it should be relatively easy :)

I added a change (PG-2305) that we'll try to get in the next release (scheduled Mar 24).

Cheers,
Alana

Hi @e-rotteveel_1850 ,

ProGet doesn't currently support deleting individual "files" like this under a package, but it's something we can add for sure. The UI definitely seems to act "suboptimal" with some of these conda packages, but we'll fix it!

I suspect it is best for us to wait until ProGet 2023, since we're doing a big data model changes. I'm going to keep this "open" internally, along with the "constrains" request you made earlier (https://forums.inedo.com/post/13876) :)

Cheers,
Alana

@sebastian no problem :)

Actually... I just realized that I have a backup of your database that you sent to us for analysis/review. And your vulnerability assessments were one of our test datasets to see how migration goes.

So we can give you a very accurate and specific answer once we get to that phase of the ProGet 2023 release

Hello @sebastian ,

Great questions, and I'll do my best to help. This is a little complicated I think :)

[1] PGVC vs OSS Index
From a technical standpoint, PGVC is implemented as an "offline database", which offers a lot of performance benefits - namely ProGet can know about vulnerabilities in packages you're not yet using, and display those on remote packages. ProGet will download updates on a nightly basis.

Regarding the "Quality of data", it's really hard to say. I think everyone just aggregates from the same sources like NVD:

• PGVC leverages the Open Source Vulnerability (OSV) platform developed by Google and backed by Microsoft, etc. It’s an open platform.
• OSS Index is just Sonatype, and it’s closed (proprietary).

We decided to invest in PGVC because OSS Index has been rate limiting more and more, and the quality of results have been declining over the years. We believe PGVC (and the underlying OSV platform) will ultimately be superior.

[2] Instant Availability & Overnight Scanning
As I mentioned above, PGVC is an offline database. This means ProGet can immediately query that database to show you vulnerabilities on packages you may want to use or are currently using. This is not possible with OSS Index due to rate limiting.

The "vulnerability scan job" (which both OSS Index and PGVC scan do) will basically compare all packages you have in ProGet (local/cached) against the vulnerability source. This is to show you about vulnerabilities discovered in pakcages you're using.

[3] Migration
We are planning on some guidance about this. In theory, its should be possible because both the PGVC and OSS Index use CVE-ID. But the OSS Index sometimes uses their own ID instead of a CVE-ID.

We'll study some datasets and see what we can bring over. It might be a SQL Script or a tool inside of PRoGet.

[4] Using Both
I want to say, that you should just pick one source. Otherwise you’ll get a lot of duplicate vulnerabilities. Either one should be sufficient for package scanning, as they both aggregate the same publicly-available data sources.

However, it wouldn't hurt to try using both... just to see what comes up for vulnerabilities. If you delete a vulnerability source, it will delete all the assessments -- so that is a quick way to at least test (you can delete the PGVC vulnerability source).

Hi @OtterFanboy ,

FYI, Generic Git repo browsing in the UI has now been fixed as BM-3822 and will be included in the next maintenance release (March 10). If you'd liek a patch/prerelease sooner, just let me know!

Cheers,
Alana

Hi @priyanka-m_4184 , thanks for updating; yes in this case, it must be a really large package file? 30min is long time, and the upack client must be timing out then.

Hi @e-rotteveel_1850 ,

Thanks so much, this will help quite a lot and should be easy to follow! I downloaded those package and attached them to our internal tracker.

So basically... it sounds like we should just treat constrains (no t ) like we do depends? And if we can display it in the UI, then we will.

I peeked at the code, and it's a bit more complex than I hoped... mostly because of how we have to index/cache "connector" data as a SQL Lite database. But hopefully not that complex.

Anyway, I'll update once we have an idea of when we can get this field in.

Cheers,
Alana

Hi @Justinvolved ,

The first thing I would try is enabling verbose logging; this is on the advanced tab of the operation, or you can set with Verbose: true parameter.

That will give a file-by-file comparison, and show you what's being copied and not. You will see texts like:

Copying C:\apxltd\artifact\Inedo.DependencyScan.dll to C:\apxltd\artifact2\Inedo.DependencyScan.dll...
Inedo.DependencyScan.dll already exists in C:\apxltd\artifact2.
Source timestamp: 11/12/2022 8:26:38 AM, Target timestamp: 11/12/2022 8:26:38 AM
Source size: 54272, Target size: 54272
Size and timestamp are the same; skipping Inedo.DependencyScan.dll...

Hopefully that will help trace this a little bit better.

Cheers,
Alana