RE: Manipulate users using pgutil

Hi @steviecoaster ,

The "Security API" has been on our mind for years, but I'm not sure if any of our paid users have expressed interested in it; I suspect it's because they are using AD/LDAP, so there's no need to automate users this?

AD/LDAP is one of the reasons that users purchase ProGet, so there's obviously a concern of creating an easily-scriptable alternative.. as I'm sure you can understand!

The Native API should definitely work, since it's just a wrapper on Stored Procs.. and the UI uses those same Stored Procs to do it's thing. However, it definitely requires some studying (likely looking at the sproc code) and may requires a few calls to learn the internal IDs.

I recently wrote a very simple "script" to call a Native API in our Otter product, and I guess it's not even using JSON:

Invoke-WebRequest -Method Post -Uri "http://otter.localhost/api/json/Rafts_CreateOrUpdateRaftItem" -Body @{
    API_Key = "abc123"
    Raft_Id = 1
    RaftItemType_Code = 4
    RaftItem_Name = "mypath/myscript.ps1"
    ModifiedOn_Date = Get-Date
    ModifiedBy_User_Name = "API"
    Content_Bytes = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("'hello world'"))
}

Seemed to work fine, so maybe use that Pattern?

Otherwise, I'm aware of one customer that sets up lots of instances in an edge network, but they just wrote a SQL Script to provision a lot of other settings. Even if we had an API, that was easier for them. So perhaps that's an option as well...

Hi @kc_2466 ,

Self-connectors (i.e. a connector to another feed in the same instance) use the HTTP API, so the server (container) needs to talk to itself. The "connection refused" means that there's some kind of network configuration problem here.

You may need to try using a different host name/port/etc to allow for "self-communication" like this.

Cheers,
Alana

Hi @itadmin_9894 ,

It's not possible to edit vulnerability records, as they are updated/source from outside of your ProGet software.

You're also using an older version of ProGet that sources data from OSS Index. That database is generally unreliable and outdated, so if you're concerned about vulnerabilities you should definitely upgrade:
https://docs.inedo.com/docs/proget/installation/proget-old-versions-migration/proget-compliance-ossindex

It looks like the similar/equivalent is here:
https://security.inedo.com/vulnerability/details/PGV-245118T

Cheers,
Alana

Hi @e-rotteveel_1850,

Glad to hear it!

Our only exposure to the Conda ecosystem is writing a feed for it, so hope you don't mind a few "dumb" questions :)

Are there any official/public packages (from like the anaconda repository) that have this field? I presume those would also be in their index.

Any idea where these might be officially documented? I found a reference in the meta.yaml specs, but you said "json" and that's clearly "yaml". I figure maybe it turns into a json at some point.

Are there any similar fields? I see we parse a bunch of fields, like constrains to dev_url.

Cheers,
Alana

@lisama7982_5385 this would require using the Docker API, which is kind off a pain, but if you search for things like "how to tag an image with a digest usng Docker API" or something you should find it eventually

You can also use the Docker CLI by doing something like docker pull using the digest, then docker tag, then docker push.

If this is a one-time clean-up you may also wish to query the database tables, like Docker* tables will allow you to eventually find what images you need to tag. Just don't delete from the database, since that can cause a headache and it won't delete files from disk

Hope that helps :)

Hi @jimbobmcgee,

Good question on versioning... to be honest I kind of forgot how assembly binding would work in this particular context

The Otter.Core assembly version changes in each release. I don't think we have special handling for it, but you could probably add in an assembly resolver for now, until we officially add support. The Job Template / Variables is something we have on our 2025 roadmap for Otter, but other products are priority.

Security... BuildMaster handles it a little better, and will do runtime checks, and does allow for more flexibility. This serverlock we added in Otter was a stopgap in 2022 (I think?) to resolve a customer's issue. The issue you are encountering is relatively easy to work-around, by reimplementing server targeting using variables. It's also on our roadmap, but you know... priorities :)

Hi @lisama7982_5385,

This is something that Retention Rules are typically used for, but as a home/hobby user I understand how that doesn't make sense.

You cannot navigate to these images in the ProGEt UI, which means you can't delete them from the UI. So I would just tag them, then you can browse and delete them.

Cheers,
Alana

Hi @monika-sadlok_5031 ,

I hate copy/pasting what I wrote earlier, but I feel that I've already answered these questions.

The only way this error is possible if there is no network connection between the application container and the SqlServer Container. There are no other scenarios in which this error will occur.

If it's always happening, then it's likely due to your container's network configuration (often it's a typo, like inedosql and inedo-sql or something in your configuration)

Please ignore "BuildMaster"...

, that's just a stack trace showing us where the error occurred, and specifically the code file name/line number. Those paths refer to the build server (i.e. BuildMaster) that ProGet was compiled on.

Ultimately there is something wrong with your Docker configuration. Docker is not esy to troubleshoot/maintain, so I would consider moving to Windows if you are new/uncomfortable troubleshooting.

Cheers,
Alana

@jimbobmcgee thanks again for the detailed analysis & debugging, definitely not easy doing so "blind" like that :)

Anyway we will investigate/patch via OT-516 - I haven't looked but what you're describing sounds like a reasonable conclusion, i.e. the incoming agent isn't getting matched up.

@jimbobmcgee thank you again for the very detailed analysis; we will get this fixed via OT-515, it's most an easy encoding to add

Hi @jimbobmcgee,

This restriction is for security purposes, specifically to enable the usecase of Otter enabling end-users to create/edit/run scripts, but not decide where they are run. So the for server is locked unless the targeting is set to None.

The solution is to indeed add a variable that allows you to select a server... but as you noticed, you'd have to type in a list. We simply ran out of time to bring those over from BuildMaster unfortunately, and this is not really a popular Otter requirement.

But sure it's possible, it's called a VariableTemplateType. Here is the code from BuildMaster that you could probably copy/paste into a custom extension.

But the issue is that you don't have access to DB in the SDK. Kind of a pain, but you could either reference Otter.Core.dll in your Nuget Package, use reflection, call DB directrly, etc.

[Category("Infrastructure")]
[DisplayName("Servers")]
[Description("Servers configured in BuildMaster, optionally filtered by one or more environments")]
public sealed class ServerListVariableSource : BuildMasterDynamicListVariableType
{
    [Persistent]
    [DisplayName("Environment filter")]
    [PlaceholderText("Any environment")]
    [Inedo.Web.SuggestableValue(typeof(EnvironmentNameSuggestionProvider))]
    public string EnvironmentsFilter { get; set; }

    private class EnvironmentNameSuggestionProvider : ISuggestionProvider
    {
        public async Task<IEnumerable<string>> GetSuggestionsAsync(IComponentConfiguration config) =>
            (await DB
                .Environments_GetEnvironmentsAsync().ConfigureAwait(false))
                .Select(e => e.Environment_Name);
    }

    public async override Task<IEnumerable<string>> EnumerateListValuesAsync(VariableTemplateContext context)
    {
        var values = (await DB.Environments_GetEnvironmentsAndServersAsync(false).ConfigureAwait(false))
            .EnvironmentServers_Extended
            .Where(es => es.Server_Active_Indicator)
            .Where(es => string.IsNullOrEmpty(this.EnvironmentsFilter) || string.Equals(this.EnvironmentsFilter, es.Environment_Name, StringComparison.OrdinalIgnoreCase))
            .Select(es => es.Server_Name)
            .Distinct();

        return values;
    }

    public override RichDescription GetDescription()
    {
        if (this.EnvironmentsFilter?.Length > 0)
            return new RichDescription("Servers in ", new ListHilite(this.EnvironmentsFilter), " environments.");
        else
            return new RichDescription("Servers in all environments.");
    }
}

It is on our list to "Make Job Template Varible Editor Closer to Pipeline Variable Editor", it's just not trivial and not a huge priority on our products roadmap (https://inedo.com/products/roadmap)

Cheers,
Alana

Hi @serveradmin_0226 ,

This is a network-related error and basically means that your ProGet container cannot talk to the SqlServer container. There are no other causes of this error.

If this error is sporadic, then it's likely related to the SqlContainer restarting or some other problem with the networking stack on the server. You'd need to investigate the timing of these errors with other things happening on the host server.

If it's always happening, then it's likely due to your container's network configuration (often it's a typo, like inedosql and inedo-sql or something in your configuration) or the SqlServer container could just not be running.

As for the logs, that's just a stack trace showing us where the error occurred, and specifically the code file name/line number. Those paths refer to the build server (i.e. BuildMaster) that ProGet was compiled on.

Hi @MY_9476 ,

Thanks for the heads up! We will fix this via OT-514 in the next maintenance release.

As an FYI, this is the code that should have been run at the end of the database upgrade, to ensure that all procs and table-value params have appropriate permission:

DECLARE @SQL NVARCHAR(MAX) SET @SQL = ''
SELECT @SQL = @SQL + 'GRANT EXECUTE ON TYPE::' + QUOTENAME(name) + ' TO [OtterUser_Role] ' FROM sys.table_types 
SELECT @SQL = @SQL + 'GRANT EXECUTE ON ' + QUOTENAME(name) + ' TO [OtterUser_Role] ' FROM sys.procedures
EXEC sp_executesql @SQL

The script you ran works too :)

hi @hammel_7023 ,

Thanks for letting us know, you are correct... this is indeed a regression from PG-2859.

What's happening is the upload stream is getting prematurely closed during the POM validation logic, which is what's causing this error to occur.

I've just patched it now via PG-2868, and it'll get in the next maintenance release.

Cheers,
Alana

Hi @scusson_9923 ,

Here's a one-liner that should hopefully get you started.

Invoke-WebRequest -Method Post -Uri "http://otter.localhost/api/json/Rafts_CreateOrUpdateRaftItem" -Body @{
    API_Key = "abc123"
    Raft_Id = 1
    RaftItemType_Code = 4
    RaftItem_Name = "mypath/myscript.ps1"
    ModifiedOn_Date = Get-Date
    ModifiedBy_User_Name = "API"
    Content_Bytes = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("'hello world'"))
}

The RaftItemType_Code=4 is not documented, but it's a fixed value and means a script. I recommend creating the item manually first, then looking in the RaftItems table for the Raft_Id and RaftItemType_Code values.

Cheers,
Alana

@jimbobmcgee excellent thanks!! Release has been published then :)

Hi @nachtmahr ,

It sounds like your Windows Integrated Authentication is broken. This is an operating-system level feature, and the only thing you can do in ProGet is turn it on, or turn it off.

WIA is pretty buggy these days, and sometimes it just breaks. Here is more information:

• https://docs.inedo.com/docs/installation/security-ldap-active-directory/various-ldap-integrated-authentication

Hopefully just doing a reboot of the server will fix the problem. If not, then you'll have to troubleshoot it, which kind of sucks:

• https://docs.inedo.com/docs/installation/security-ldap-active-directory/various-ldap-troubleshooting#integrated-authentication-not-working

Note that you can disable WIA by using the Locked Out protocol:
https://docs.inedo.com/docs/installation/security-ldap-active-directory/various-ldap-troubleshooting#locked-out-restoring-default-admin-account

Hope that helps,
Alana

@jimbobmcgee

I think you might have an old version of Inedo Hub; you can just download a new version and the dropdown will be there. I guess the old version should work, I just worry about some bugfix/change that might cause newer versions to not work.

The feed is https://proget.inedo.com/upack/PrereleaseProducts

Hi @monika-sadlok_5031,

That error means that the ProGet application container cannot make a network connection to the the SQL Server container.

I would try to restart the containers, start with SQL Server. Make sure it's running. If it's running, you can try connecting to it with another tool like SSMS if you'd like to verify.'

Otherwise, on the ProGet side, you can only configure the connection string; upgrading or changing the license key has zero impact on this. If it worked in the past, then it means that the SSQL Server container is not running or your network/container configuration changed.

This can be hard to discover exacgtly what changed, so I would recommend "starting from scratch" on a new server/environment, then compare/contrasting what changed. Sometimes it's as simple as a typo or an errant - (dash character) in the wrong place/script.

Cheers,
Alana

Hi @forbzie22_0253 ,

Similar to the UI, packages are still returned in the API - they just have a flag set to indicate they are unlisted/deprecated. It's up to the client to determine what to do about that.

I don't believe the Find-Package cmdlet works with these properties; I think only Visual Studio will hide/warn about them.

Thanks,
Alana

@sneh-patel_0294 and as an FYI, if you haven't already, you can request a ProGet Trial key from My.Inedo.com, and then set it to ProGet Enterprise, which supports the Clustered installation

Hi @sneh-patel_0294 ,

A "chained connector" would be something like, "(Feed A) --> (Feed B) --> (Feed C)". We've seen some set-ups like "(Feed A) -> ((Feed B) + (Feed C --> Feed F)+ (Feed D --> Feed G))", and every now and then a "loop" (where Feed A eventually connects back to Feed A). Those are really bad for performance, especially with NuGet v2 which requires a query every every single connector.

As for a clustered installation, here's our set-up guide for that:
https://docs.inedo.com/docs/installation/high-availability-load-balancing/high-availability-load-balancing

But to answer your questions... a sstandard share drive and a common SQL Server is fine. The main thing is to spread the incoming network traffic across multiple web nodes.

Cheers,
Alana

Hi @sneh-patel_0294 ,

The underlying issue is that you ProGet server is getting overloaded, and you need to find a way to reduce peak traffic or switch to a load-balanced solution. Removing NuGet V2 APIS, chained connectors, etc. are a good step in reducing traffic.

See How to Prevent Server Overload in ProGet to learn more.

Keep in mind that the clients (build servers, dev workstations) are sending 1000's of simultaneous requests to ProGet at one time. ProGet is not a static file server (unlike nuget.org), and each request must be authenticated and often proxied/forwarded to connectors. There is only one network card on the server, and this is what happens when it gets overloaded.

As for why it's causing errors now, this is a result of changes to the underlying platform (.NET Framework to .NET Core). The older platform did a better job of throttling traffic under extreme load and, for whatever reason, didn't timeout as much.

You can configure a throttle in ProGet by going to Admin > HTTP/S Settings > Web Server > "edit", and then set a value of 100 or so. You mentioned a value of "500", but I would just set it to 100.

Cheers,
Alana

Hi @enrico-proget_8830 ,

Using ngnix is probably a better solution anyway if you don't mind setting that...
but the setting is now under Admin > HTTP Settings > Web Server " Edit"

Thanks,
Alana

Hi @udi-moshe_0021 ,

I don't know... as I mentioned, when we follow our instructions to set up a Debian feed in ProGet with a connector to http://ftp.debian.org/debian/ (Buster) it seemed to work fine. Other users seem to have no issues with the steps there, which is why it's likely your network.

Beyond that I really don't know enough about your configuration or apt troubleshooting to help further. I can't try to reproduce your environment, but if you provide the exact error messages from apt, I can search for them.

However, for faster help, please just simply search the error messages you are receiving from apt that you are receiving and follow the advice of articles that come up on Google. or ask ChatGPT.

Since I know very little about apt, all I can really do here is read the error messages, search for them, and link you to an article to try.

Thanks,
Alana

Hi @udi-moshe_0021 ,

Sure, anything would help; I'm basically looking for a very specific error message that I can search. Once you share the specific console outputs, I will try to search what the error means and summarize the results and how you might be able to troubleshoot it further.

I don't think there are any issues with your ProGet configuration, as it clearly works in Ubuntu desktop for you. It's likely a configuration of apt that you need to make, so you may wish to search the exact apt error messages as well.

Thanks,
Alana

Hi @udi-moshe_0021 ,

Can you can provide the specific commands and error messages you are receiving? I.e. just coyp/paste the entire console session with the commands you're typing and the output.

cheers
Alana

Thanks for clarifying that @rpangrazio_2287 , we'll explore that route as well.

We opted against DinD because of resource management (build servers can be rather resource-intensive) and general instability (not everything seems to work the same).

FYI - in case you haven't seen it already, BuildMaster does support Image-based Services (Containerized Builds)

Cheers,
Alana

Hi @rpangrazio_2287 ,

Thanks for sharing that solution; the general approach we arrived at was setting up an SSL Agent to connect to the BuildMaster's Docker host (Installing & Integrating with Docker Engine).

The approach you took is interesting; are you essentially installing Docker within the container? I assume that uses the Docker engine of the host, not like "docker in docker"?

Thanks,
Alana

Hi @udi-moshe_0021,

First and foremost, I would use the latest version of ProGet 2024. That eliminates any question of bugs that may have been fixed.

Otherwise, I'm afraid that we don't have a lot of experience in troubleshooting debian client issues. What I can say is that, when I follow our instructions to set up a Debian feed in ProGet with a connector to http://ftp.debian.org/debian/ (Buster) it seemed to work fine.

You may need to query the endpoints directly and see what data PRoGet is generating vs archive.ubuntu.org.

Thanks,
Alana

Hi @marc-ledent_9164 ,

I'm not really sure how to debug OpenShift/Kubernetes, so I really don't even know what to suggest to look at. This may also be unrelated to the platform at all, but we just aren't seeing the real error. Ultimately I do think the web service isn't starting, which makes it really hard to see errors.

There is a database table in BuildMaster that might contain some iinformation (LogMessages); it should be prety obvious which message it is.

Another thing you could/should try is a fresh, Docker-only installation of BuildMaster 2024. That should "just work" out of the box. Then bring to OpenShift/Kube. if that works, we at least know it's some kind of configuration delta.

BuildMaster 7 was our first Linux edition, so it's possible there was some configuration that worked on that, but not in newer. But we just need a starting point/error.

Hopefully the error table has some info

Thanks,
Alana

Hi @marc-ledent_9164 ,

I'm guessing that, if you're getting that error, it probably means that the BuildMaster service is somehow crashing on start-up and thus not running.

If this is the case, you should see some kidn of error message in the service (container) console output logs.

I don't know enough about OpenShift to advise how to find these logs, but if you can just do the equivalent of docker run without -d (detached) then the console output will be streamed to the console, and you can see the error messages.

Cheers,
Alana

Hi @paul-kendik_9721 ,

It looks like you're on the right track with troubleshooting -- the issue is indeed related to SSL/Certificates. This is all handled at the operating system level, which means there's nothing we can do on the application (i.e. ProGet) side of things.

Unfortunately, I've never seen this error on a modern Windows server so I don't know what exactly to suggest to fix. I didn't even know TLS 1.0 was enabled on Windows still. Maybe it's not even the server, but like a proxy or some kind of intermediate server?

The "good news" is that this is an easily searchable problem, so I would start by searching for "Windows 2022 SSL HandshakeFailure TLS 1.0" and see what comes up. There is certainly some kind of setting on your server taht is causing this problem, I just don't know what to suggest to look for.

Please let us know wat you find!

Alana

@daniel-lundqvist_1790 no problem.. docker is really confusing/silly... , glad we got it solved :)

Hi @daniel-lundqvist_1790 ,

Thanks, now I understand what the issue is: basically the command history isn't lining up to the layers. This is a minor UI/display thing.

I can fix that fairly easy by grouping history entries marked with empty_layer into the following command. Here is what it looks like when grouped (ignore red warnings, it's dev environment):

Assuming the history entries are accurate, the bottom-most entry should be the one that generated the layer.

This will be in the next maintenance release (friday) via PG-2848.

Thanks,
Alana

Hi @Dony-Thomas_7156 ,

You can ignore these errors. ProGet doesn't process these requests (i.e. store the content); instead ProGet simply generates the appropriate hash of a maven artifact when you request .ext.md5, etc. It's dynamic, not a file system.

That said, I do know that later versions of ProGet will simply return a 200 so that it does'nt cause an error with Marvin. I recommend to upload to the latest ProGet 2024, and use the New Maven feeds.

Thanks,
Alana

Hi @marc-ledent_9164 ,

Sorry but that seems to be an issue in v7 displaying some events

I'm afraid there's no workaround, but you can find the data in the database (EventLogOccurences table), which might be helpful?

Thanks,
Alnaa

Hi @daniel-lundqvist_1790 ,

Thanks for sharing this; as you can see from the manifest file you shared, there are 24 layers in your image. These are the 24 layers that ProGet is showing on the Layers tab.

We can clearly see that there are no additional layers; the 24th layer that ProGet is showing is indeed the last (24th) entry in the manifest file:

      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 13829131,
         "digest": "sha256:b7593e740f79fdea31249ff3717f4fe50dc1925ca728bb423e56e12e2e1b4b6e"
      }

The docker image history command does not show layers. It shows image history, which is orthogonal to layers. ProGet is not designed to show the image history, only the layers.

If you were to look at your Container Configuration File, under the "history" property, you will see the exact number of items that docker image history shows`. The command is simply giving a user-friendly printout of that file.

Hope that helps clarify,
Alana

Hi @daniel-lundqvist_1790,

Can you paste in the manifest file here? It's JSON and it's going to be on the "Metadata" page in a textbox

Thanks,
Alana

Hi @daniel-lundqvist_1790 ,

The Image Layers and Image History are two different things.

I'm not sure how to better explain this... but ProGet is not designed to show you the "Image History" -- if you want that, then use the docker image history command.

Instead, ProGet's "Layers" page shows the Image Layers.

It's confusing because these things are similar, but they are in fact different.

Thanks,
Alana

Hi @daniel-lundqvist_1790,

Thanks for clarifying. These are different things...

The docker image history displays all lines in the history section of the container configuration file (CCF), which includes both layer-creating and nonlayer-creating commands. A CCF is optional, I suspect that command wouldn't work without the CCF, but I don't know.

The "Layers" tab in ProGet displayed the actual layers (i.e. .tar.gz files on disk) that the image. If available, the CCF is used to augment the layer with command information.

As an example, you can see the Docker image for ProGet itself:

• https://proget.inedo.com/containers/tags/ProductImages/inedo/proget/24.0.20/metadata
• https://proget.inedo.com/containers/tags/ProductImages/inedo/proget/24.0.20/layers

You can see the CCF lists the history:

"history": [
  {
    "created": "2024-07-02T01:25:02.331012304Z",
    "created_by": "/bin/sh -c #(nop) ADD file:b24689567a7c604de93e4ef1dc87c372514f692556744da43925c575b4f80df6 in / "
  },
  {
    "created": "2024-07-02T01:25:02.745660567Z",
    "created_by": "/bin/sh -c #(nop)  CMD [\"bash\"]",
    "empty_layer": true
  },
  {
    "created": "2024-07-09T14:47:21.224481352Z",
    "created_by": "ENV APP_UID=1654 ASPNETCORE_HTTP_PORTS=8080 DOTNET_RUNNING_IN_CONTAINER=true",
    "comment": "buildkit.dockerfile.v0",
    "empty_layer": true
  },
  {
    "created": "2024-07-09T14:47:21.224481352Z",
    "created_by": "RUN /bin/sh -c apt-get update     \u0026\u0026 apt-get install -y --no-install-recommends         ca-certificates                 libc6         libgcc-s1         libicu72         libssl3         libstdc++6         tzdata         zlib1g     \u0026\u0026 rm -rf /var/lib/apt/lists/* # buildkit",
    "comment": "buildkit.dockerfile.v0"
  },

But only two of those generated FS changes and became layers. So that's what is displayed on the "Layers" page.

Thanks,
Alana

Hi @daniel-lundqvist_1790 ,

Good question! ProGet 2024 ships with the latest version of all available extensions, so there's usually not going to be a new one unless we add ones later (e.g. GCP) or update/fix ones.

Most extensions are used by BuildMaster; for example, the Jenkins extension lets you do cool stuff like import/orchestrate Jenkins servers and deploy artifacts from them:
https://docs.inedo.com/docs/buildmaster/tools-service-integrations/buildmaster-integrations-jenkins

Thanks,
Alana

Hi @matthew-crowley_4142 ,

What version of ProGet are you using? I know at some point we removed the requirement to specify a content type (maybe ProGet 2023?)

pgutil is really only designed/tested with ProGet 2024+; earlier versions might work, but we just didn't build or test for those APIs. We're open to pull requests if you wanted to take a stab at trying to get it working on old api (maybe it's just a matter of adding the content type header)?

Thanks,
Alana

Hi @daniel-lundqvist_1790 ,

Custom extensions in ProGet are not very common, but they need to be manually installed; are you trying to build your own extension? We generally don't advise that for ProGet, since whatever you build would likely be a general-purpose integration that we would work with you to "adopt" (like cloud file system, etc)

We have some guidance on how to manually install extensions here:
https://docs.inedo.com/docs/proget/administration/extensions#manual-installation

Thanks,
Alana

Hi @daniel-lundqvist_1790 ,

Are you sure there are 36 layers in your image? You can see this in the manifest file.

I don't believe that commands like LABEL and ARG lines will change the filesystem, and thus a new layer would not be created.

The container configuration file, if it exists, may contain these extra commands. You can see the details of these files on the metadata of your image.

Thanks,
Alana

Hi @forbzie22_0253 ,

We have never seen a case where changing an IIS setting has benefited performance in any way whatsoever; instead we have only found headaches and problems from users modifying them. Those settings are not designed for modern .NET applications, but for like .NET Framework, classic ASP, etc.

So please don't touch them :)

Thanks,
Alana

Hi @sneh-patel_0294 ,

Here is the NuGet API Documentation:
https://learn.microsoft.com/en-us/nuget/api/overview

Here is the Packages API query you would want:
https://docs.inedo.com/docs/proget/reference-api/proget-api-packages/proget-api-packages-list-versions#http-response-specification

Regardless of what APi you use, you'll need to change your query strategy:

1. Get a list of all versions of CPS.Regression from the server
2. From that list, filter by 9.1 and then sort by latest that's not prerelease

There are some sample scripts that might be helpful on our docs as well:
https://docs.inedo.com/docs/proget/reference-api/proget-api-packages/proget-api-packages-list-versions#list-all-non-prerelease-versions-powershell

Thanks,
Alana

Hi @sebastien-gamby_3349,

I don't see an option to do anything like that, but we're happy to brainstorm/think of an option to add. The main issue is documentation and avoiding having 1000 options.

I see that there's a ---do-not-scan-node_modules switch; maybe that could be converted to a --excludePaths={relativePathCsv} or something? So ---do-not-scan-node_modules would become --excludePaths=node_modules and you could do --excludePaths="myproj1.csproj,myproj2.csproj" or something?

Just brainstorming here, not sure if that's even feasible.

Here is the current documentation for the command

Description:
  Generates a minimal SBOM from project dependencies and uploads it to ProGet

Usage:
  pgutil builds scan [options]

Options:
  --input=<input> (REQUIRED)                Project to scan for dependencies
  --project-name=<project-name> (REQUIRED)  Name of the component consuming the dependencies
  --version=<version> (REQUIRED)            Version of the component consuming the dependencies
  --api-key=<api-key>                       ProGet API key used to authorize access
  --do-not-scan-node_modules                Do not scan the node_modules directory when scanning for package-lock.json
                                            files
  --include-dev-dependencies                Include npm development dependencies from the package-lock.json file in the
                                            generated SBOM document
  --include-project-references              Include dependencies from referenced projects in the generated SBOM
                                            document
  --password=<password>                     ProGet user password used to authorize access
  --project-type=<project-type>             Type of the consuming project (default=library)
  --scanner-type=<scanner-type>             Type of project scanner to use; auto, npm, NuGet, PyPI, or Conda
                                            (default=auto)
  --source=<source>                         Named source or URL of ProGet
  --username=<username>                     ProGet user name used to authorize access
  -?, --help                                Show help and usage information

Examples:
  $> pgutil builds scan --input=WebDataTool.csproj --project-name="Web Data Tool" --version=1.2.3
``

Hi @george_4088,

That is correct, but a brute-force attack wouldn't succeed unless an administrator used something silly like admin for their username and password for their password. You could just as easily integrate with an LDAP/Active Directory server, which will add timeouts and account lockouts to make it impossible to "crack" in our lifetime. SAML is fine too.

My point is that it's like 1000 times more likely that the API Key used to publish those Chocolatey packages would be exposed in logs, configuration files, etc. That's the attack surface you want to be careful of.

Cheers,
Alana

Hi @forbzie22_0253 ,

We do not recommend modifying this value from the defaults; in fact, we recommend you avoid using IIS altogether.

IIS works poorly with modern .NET applications and tweaking settings will make it worse. For example, if you change "Max Worker Processes" to a value other than 1 (the default) you will likely get performance problems, since modern .NET are already multi-threaded and they will "compete" with each other.

ProGet has a built-in traffic queue that you can tweak under Admin > HTTP Settings > Web Server > edit. If you are having performance problems, then set it to 100 or so.

Cheers,
Alana