RE: MFA on Integrated Auth

Hi @george_4088 ,

Users who are looking for MFA in our products will configure SAML to work with a login provider such as Entra ID that does MFA; we have some documentation on how to configure SAML here:
https://docs.inedo.com/docs/installation/saml-authentication/various-saml-overview

SAML is a ProGet Enterprise feature.

As an aside, we are often asked about best practices regarding MFA and public-facing repositories. I don't think MFA adds a lot of value to a product like ProGet because it's so API-key heavy, and API-based authentication can't use MFA obviously. The most important attack surface to cover is API keys. Those are often overlocked and tend to be haphazardly entered/exposed in scripts, logs, etc.

Cheers,
Alana

Hi @sneh-patel_0294 ,

This API has been deprecated for a long time. It sounds like you're doing your own, custom queries.... ProGet only supports the queries made by certain clients like NuGet. See NuGet ODATA (v2) API.

While we haven't touched the ODATA (v2) code in many years, there must have been some other change that caused this behavior to happen. As you might imagine, we don't want to open up that code and risk introducing another regression, so it'd be best for you to work-around this issue.

Your best bet is to switch to the Packages API; you can also use the NuGet v3 API, which is well documented and supported by ProGet, but it's a lot harder to use.

Cheers,
Alana

Hi @it4it_9320 ,

I was able to reproduce this; it looks like the jammy/main/binary-amd64/Packages index is invalid and duplicates several packages, including this:

Package: aadsshlogin
Version: 1.0.023850001
Architecture: amd64
Section: utils
Priority: optional
Maintainer: Yancho Yanev <yyanev@microsoft.com>
Description: AAD NSS, PAM and certhandler extensions
 This package installs NSS, PAM and certhandler extensions to allow SSH login for AAD users.
Conflicts: aadlogin
Depends: libc6 (>= 2.34), libcurl4 (>= 7.16.2), libpam0g (>= 0.99.7.1), libselinux1 (>= 3.1~), libsemanage2 (>= 2.0.32), libssl3 (>= 3.0.0~~alpha1), libuuid1 (>= 2.16), passwd, openssh-server (>=6.9)
Pre-Depends: grep, sed
SHA256: efad79eb58c10155710ef59171fbe73d67e765a49ce4cc4f4e3622163f4c2f84
Size: 332574
Filename: pool/main/a/aadsshlogin/aadsshlogin_1.0.023850001_amd64.deb

Package: aadsshlogin-selinux
Version: 1.0.023850001
Architecture: amd64
Section: utils
Priority: optional
Maintainer: Yancho Yanev <yyanev@microsoft.com>
Description: Selinux configuration for AAD NSS and PAM extensions.
Conflicts: aadlogin-selinux
Depends: policycoreutils (>=3.3-1), selinux-utils, selinux-policy-default
SHA256: 6a0c3277754585d81d7c1216a23fa034bca6cacef7f162aba0af301ea734fc49
Size: 2214
Filename: pool/main/a/aadsshlogin-selinux/aadsshlogin-selinux_1.0.023850001_amd64.deb

So, as a result, the error occurrs. We will add some checking code for this bad index file, and plan to fix this in the upcoming maintenance release via PG-2834

Thanks,
Alana

Hi @frei_zs ,

Replication uses the package file's hash value, so "new" package files should be transferred when the files are updated. I know a lot of users rely on this behavior, including us every now and then. Debian is a little different than most package feeds because of how the component part works, but it should be the same.

This should be relatively easy to test/verify:

1. Create two two packages (A-1.0.deb, A-1.1.deb)
2. Add a dummy file to the A-1.0.deb archive, save it as alt-A-1.0.deb
3. Create a new Debian2 feed and upload A-1.0, A-1.1; verify feed has two packages
4. Upload alternate A-1.0 file; download the package and verify it's modified and feed has two packages
5. Replicate to a new Debian2 feed; both packages should replicate
6. Upload the original A-1.0 file, and it should replicate within a couple minutes
7. Upload the alt-A-1.0 file, and it should replicate within a couple minutes

If you can reproduce this on a new feed configuration, maybe it's something to do with the package files; can you send them to us? Then we will try to rperoduce in a debugging environment.

Thanks,
Alana

Hi @philippe-camelio_3885 ,

Can you try this on Otter 2023, to see if it makes a difference? We made some Git library changes and that's the easiest thing to confirm if it's related to that.

Thanks,
Alana

Hi @caterina ,

This will be fixed in the next maintenance release via PG-2829. I just checked in the change.

I made a mistake when making the original change, and used the ProjectBuildId instead of the ProjectId when validating the if other builds exists. So it works if the Ids match perfectly (like when I tested it).

Note this only impacts the UI, and we don't really expect users to create builds via the UI.

Thanks,
Alana

@dan-brown_0128 @scampbell_8969 thanks for the feedback!

I've added a note to our internal board for ProGet 2025 roadmap consideration; after we get through the PostgreSQL migratoin, we will likely focus on SCA feature improvement, but maybe there will be room for this.

Any guidance/ideas on the UI/docs would be really helpful when we come to revisit it.

https://inedo.com/products/roadmap

Hi @forbzie22_0253 ,

That's not exposed in the UI at this time; is there a reason/use case you'd want to use it? it's primarily intended as a kind of backup of sorts.

Thanks,
Alana

Hi @davidroberts63 ,

The Projects & Builds page (/projects) requires Projects_View permission.

Cheers,
Alana

Hi @udi-moshe_0021 ,

If you're talking about connecting to DockerHub, the behavior is a little weird... but yes, images without a prefix need the library prefix. This is actually how the Docker client behaves behind the scenes.

When you request ubuntu, the Docker client actually requests library/ubuntu. You can edit the connector (Advanced tab) to automatically add the library prefix, which will behave like the Docker client.

Thanks,
Alana

Hi @udi-moshe_0021 ,

I would suggest using the latest ProGet version.

A "manifest unknown" is a very generic error, and the docker client doesn't log any more details (log, error message from ProGet, etc). I suggest using a traffic capture tool to see exactly what the problem is.

Under the hood, Docker clients can have some problems with proxies, so this could be related. The DockerHub also has rate limiting, so that could be a problem you're experiencing. We just can't see it with just the Docker client sometimes.

Thanks,
Alana

Hi @daniel-lundqvist_1790 ,

You can select the edition you'd like to trial within the software itself, under Admin > License Key.

Thanks,
Alana

Hi @gurdip-sira_1271 ,

Based on the error message, it looks like the use doesn't have appropriate permissions; did you set a temp directory on the SSH agent ? That directory may not exist , and user may not have permission to create it.

Thanks,
Alana

@davidroberts63 thanks for figuring that one out, that's definitely bug...

... box style was correct, but enabled/disabled text looked at wrong property

Easy fix, difficult to spot!

Hi @marc-ledent_9164 ,

Are you referring to the Machine UID from Manual Activation?

I'm not sure what the Machine UID looks like in BuildMaster 7 on Linux, but I do recall that early versions of our products sometimes couldn't generate the string on some hardware. I think that's fixed now.

The code is supposed to be based on the CPU (vendor ID, model, family, and stepping info) and the and the major version of the Inedo software (e.g. 5.1, 5.3, 2022, 2023).

Thanks,
Alana

Hi @davidroberts63 ,

Thanks for digging into this further and providing those logs; looking over the code, I'm think that you must have the licenses feed feature enabled?

This setting is on the manage feed page.

When that feature is enabled, we should see logs like:

• Detecting licenses for {package}...
• Found {licensesCount} licenses: {licenseCodes}

The info is also recorded in the database in the same block.

I can't say why you have other records; they may have come from other feeds, or maybe the feature was disabled later on... the PackageLicenses23 table is not feed specific.

anyway let us know what you discover; it's a little weird to see the behavior, so we would like to confirm and twaeak the UI a little bit to make it clearer

Thanks,
Alana

Hi @caterina ,

Thanks for investigating this! I just made the following changes via PG-2818:

• do not update Stage, Status upon import of SBOM
• set Release Null when editing build (not empty string)
• validate build number is unique

This will go in the next maintenance release, shipping next Friday

Thanks,
Alana

Hi @caterina ,

Thanks for the additional detail.

So I investigated this a little further, and now I see there's a bug in the method that imports the SBOM file - basically it's just overwriting the Stage Name with "Build". That's not intentional.

It looks like the BuildStatus_Code is also reset to Active. I'm not sure if that should be the case; maybe an inactive build should not allow a new sbom added... what do you think

As for the duplicates, we know it's not possible to enter a row in the table with a constraint, so it means there's either whitespace in the buildnumber (two different builds) or there's an incorrect join (build displayed twice).

Just take a look at the projectBuildId querystring parameter for the "2.0.0" builds -- that will clue us in to which case it is.

If it's whitespace, we'll have to figure out where it could be added -- and just trim before adding to database

Thanks,
Alana

Hi @caterina ,

Sorry on the slow reply, I swear I replied to this.... but clearly not.

As you can see from the 500/crash error (which we should obviously not do), there is a data constraint that prevents two builds within the same project and release from having the same number. Specifically, the constraint is <Project_Id, Release_Number, Build_Number>; so it's not possible to have build 3.0.0 twice -- but maybe it's in a different project or release.

As far as "Import SBOM" vs "Create Build", the Import SBOM will create a Project (based on the Component name) and a Build (based on the Version) if it does not exist. Then, it adds the packages within the SBOM Document to the build's list of packages, and then adds the SBOM document itself to the build's SBOM documents.

When importing an SBOM, nothing is deleted; it's always added. As you've seen, Create Build will definitely error out if the build already exists.

Hope that helps clarify,

Alana

Hi @daniel-lundqvist_1790 ,

Based on the problems you're trying to solve, I think ProGet sounds like a good fit.

There are quite a few tools that can generate an SBOM document in the CycloneDX format that ProGet uses; see https://github.com/CycloneDX for the most popular ones. We consider pgutil scan to be a "lightweight" version that works in most cases.

But I think you'll just want to generate your own. It's a pretty simple XML format and easy enough to generate. ProGet can just acts as the SBOM repository in this case.

There shouldn't be a problem to extend the trial extension; you're able to request one on MyInedo on the day of expiry.

Cheers,
Alana

Hi @davidroberts63,

Without looking at the database it's really hard to guess; we'd be happy to investigate your database is you send us a back-up.

But maybe we can figure it out as well.... behind the scenes, there is a table called PackageLicenses23 which associates a specific package version (e.g. Microsoft.Identity.Client 4.66.0) with a specific license Id (MIT). The "Unlicensed Local Packages" page uses that table to find packages (FeedPackageVersions) without an entry.

Data is added into the PAckageLicenses23 table whenever a package is analyzed. So I presume that, if you go to the package and Re-analyze it, then the message goes away? This reanalysis should also occur on a nightly basis with the compliance check job.

If you poke around in the database, note there are PackageLicenses23_Extended and FeedPackageVersions_Extended views won't require you to do a bunch of joins to find.

Thanks,
Alana

Hi @scampbell_8969,

ProGet does not have this feature; we've thought about it after some customer discussions in years past, but I don't think anyone's asked about it until now. And it wasn't the right solution for those customers.

We concluded it would be kind of complicated to document / configure / troubleshoot, especially once we got into the details and specifics. Here's some of those:

• A new version could be unwanted, especially after the "Moq Meltdown" from last year
• Patch versions are probably okay, but new major versions should still be vetted
• Licenses can (and do) change between versions
• New versions It's also a vector for malicious update attacks
• Some kind of filter would be needed to select package for auto-promotion
• Very few packages get frequent updates, so this doesn't seem like it's solving a big problem

Instead we created a "latest version" compliance flag that allows you to flag packages that aren't the latest patch version. We'll see if that's popular.

Thanks,
Alana

@caterina thanks, we'll discuss this internally and get back to you soon!

Hi @caterina

If you're getting that message, it means that the package cannot be checked for "package status" (i.e. listed, deprecated) because it's not local to your feeds. If you cache the package, then it should go away.

Thanks,
Alana

Hi @udi-moshe_0021 ,

You're going to get a lot of headaches trying to use server-side virus/malware scanning with a tool like ProGet and we do not support using such tools in conjunction with ProGet.

These types of tools are hyperaggressive and really dumb -- they often quarantine "dangerous" files like .dll, block "malicious" files like Javascript, or think that ProGet loading plugins is "malware behavior".

In addition, the tools are totally unnecessary, as ProGet already has vulnerability detection built in.

Cheers,
Alana

Hi @Scati,

pgutil will construct an purl using this method:
https://github.com/Inedo/pgutil/blob/c5b5e3733390b9e5dfb07752e36a3f6efaaa0f9c/pgutil/Packages/QualifierOptions.cs#L26

So I'm thinking there's something off about your url, but I can't spot it. Maybe try

https://serverip/api/packages/unstable-lin/delete?purl=pkg:deb/scatimysqlcluster@7.3.0.0-0.202406122314.6df3a85167?arch=amd64&distro=jammy&component=scati

That appears to be the order that pgutil uses...

Cheers,
Alana

Hi @jw ,

We'll get this fixed via PG-2814 in the next maintenance release (Oct 18). Or if you prefer a prerelease let us know and we can build one for you.

As a work-around, you can add Custom-Telerik-EULA as a SPDX code and the license will be found, allowing you to view the page.

Thanks,
Alana

Hi @Scati ,

The request looks OK to me on a first glance, but I wonder... did you try using pgutil to delete the package?

pgutil packages delete --feed=myDebianFeed --package=myDebianPackage --version=2.3.4 --component=main --distro=stable --arch=amd64

I'm not sure if you're using the latest version of ProGet, but I think there was a bug regarding this.

Thanks,
Alana

Hi @caterina ,

I guess those never made it over... they were undocumented and we basically started fresh. Following in my other post, we want to really make surea ll commands fit together nicely and are documented well.

I'm almost certain know you contributed them, but can you help to document what they are?

I found the code here:
https://github.com/Inedo/pgscan/blob/master/PgScanCommon/Program.cs#L231

Does this only work with .NET?

Also... I don't think we have the identify command anymore, right?

Thanks,
Alana

Hi @caterina

It's very possible this was overlooked; we seem to have accepted a lot of pull requests without documenting them or knowing how they work

We want to make sure the tool is well documented... can you share what all this does, and how we can document it? It might be easy to add back in ... we just want to make sure all these switches are documented and still make sense.

Thanks,
Alana

Hi @forbzie22_0253 ,

Yes, we use Kestrel under the hood.

You can configure HTTPS under Admin > HTTPS:
https://docs.inedo.com/docs/installation/installing-on-iis/installation-windows-https-support

No real "gotchas" -- but note that with port sharing (i.e. binding to a hostname as opposed to an IP), that needs to use the HTTP.SYS component of Windows.

Cheers,
Alana

Hi @forbzie22_0253,

Following Microsoft's guidance to no longer use IIS for modern .NET applications, we no longer recommend using IIS to host modern versions (2022+) of our products.

Instead, you should use the Integrated Web Server instead, which is our (and Microsoft's) recommended web server. Although IIS is still supported, there are no benefits aside from a more familiar user interface.

That said, even with IIS this is not a supported nor recommended configuration; if there was ever a need to segregate feeds (for example Docker Container Images used for production applications and NuGet packages used for developers), then it should be done at an instance/server level.

Cheers,
Alana

Hi @marc-ledent_9164

BuildMaster is not writing that HTML, so it must be some kind of reverse proxy or something that's replacing the HTML.

If you view source, none of the hyperlinks in BuildMaster will have a domain name -- nearly everything should be a relative/rooted URL like /something.

Cheers,
Alana

Hi @marc-ledent_9164 ,

That's unusual; can you Inspect the element on that link and let us know what you see? I looked in my BuidMaster v7 instance, and here's what I see:

Can you access that URL directly? E.g. something like:
https://your-buildmaster.corp.local/administration/security/built-in/change-password

It should show you a page like this:

Cheers,
Alana

Hi @marc-ledent_9164 ,

That refers to our build server :)

That part of the error message is the stack trace, and that shows us exactly where the error is occurring in the code, should we need to debug it.

That said, if you're seeing those errors in your execution logs, then it's probably related to configuration of some kind..... we can help if we could see more context

Cheers,
Alana

Just as an update, we discovered abug with pulling packages for this feed, and we will fix it via PG-2812 in an upcoming release

Hello,

Can you share your credentials with us? Easiest way for us to figure iit out is to attach a debugger and see what's happening.

NOTE - I see you also submitted a ticket (EDO-10807), so you can just reply to that. I'll reply here once we figure out a resolution :)

THanks,
Alana

Hi @lucas_001

I'm a bit rusty with these and I'm going off memory, but I know that AHVALUEDRIFTED is supposed to point to a boolean.

Have you tried a script like this instead?

$EnvironmentVariableDesiredValue = $EnvironmentVariableValue
$EnvironmentVariableCurrentValue = [System.Environment]::GetEnvironmentVariable($EnvironmentVariableName, [System.EnvironmentVariableTarget]::Machine)
$EnvironmentVariableDriftedValue = $EnvironmentVariableValue -ne $EnvironmentVariableCurrentValue

Write-Host "Current value of environment variable '$EnvironmentVariableName' is '$EnvironmentVariableCurrentValue'."

if ($ExecutionMode -eq "Collect") {
  if ($EnvironmentVariableValue -ne $EnvironmentVariableCurrentValue) {
    Write-Information "Environment variable '$EnvironmentVariableName' has drifted from the desired value."
  } 
  else {
    Write-Information "Environment variable '$EnvironmentVariableName' is set to the desired value."
  }
} 
  
elseif ($ExecutionMode -eq "Configure") {     
  if ($EnvironmentVariableDriftedValue) {
    [System.Environment]::SetEnvironmentVariable($EnvironmentVariableName, $EnvironmentVariableValue, [System.EnvironmentVariableTarget]::Machine)
    Write-Information "Environment variable '$EnvironmentVariableName' has been set to the desired value."

  } 
  else {
    Write-Information "Environment variable '$EnvironmentVariableName' is set to the desired value."
  }
}   

That might do the trick... note the only thing aside from logging that's happening is in the execute portion.

Can you try that? Obviously the logging experience should be improved. No idea why there's a JSON parse error happening.

Thanks,
Alana

@tekla-buildmaster_8300 it's on our list for this year :)

https://blog.inedo.com/inedo/roadmap2025/

Hi @david-cheng_0852,

This is where using LDAP or SAML comes in; we strongly recommend using that instead, so that users don't have to store/track yet another password.

ProGet's built-in users are really only intended for simple use cases (like ProGet Free edition) or when you're first getting started with ProGet. After that, you should switch to LDAP or SAML.

We can consider adding a password policy, but we'd like to first understand why it's not possible (or too difficult) to use LDAP/SAML.

Thanks,
Alana

Hi @david-cheng_0852 ,

ProGet's Built-in User Directory does not have a password policy/restriction.

Thanks,
Alana

Hi @frei_zs ,

I'm not really sure how signing keys work to be honest, but they seem to be really just used for the InRelease index?

Anyway, it was trivial to add a button to Delete the existing signing key. When you click that button, it will then show a page that allows you to Create a signing key:

So we'll get that in via PG-2807 in the next maintenance release (shipping on Friday).

As far as uploading a custom key, doing via API, etc., that's not trivial... but I'm thinking this will cover your bases. I can't imagine you are swapping these out often (or ever).

Thanks,
Alana

Hi @jw ,

Unfortunately the "deprecated dialog" isn't shown if a package is not in compliance; the noncompliance message is instead displayed. This is something we're aware of and plan to review/fix with the UX redesign.

Alana

Hi @jw ,

These are some "compromises" we've made over the versions that have led a suboptimal UX. Basically, the issue is that we have a single box to work with, and the message is based on:

• if a package has an "unknown license" dialog, it shows that option to add a license
• else if a package has a Block or Warn compliance status, then you see the noncompliant reason
• else if a package is Deprecated, then you see the message/warning about deprecation
• etc.

Displaying multiple boxes doesn't work very well, and the code is already complex enough, so we don't want to mess with it too much more. That said, we are planning to "rethink" the Package Overview Page UI as a whole with the help of a UX agency, hopefully in time for ProGet 2025.

Regarding Visual Studio, something must have changed. The message should be there as we are emitting in the API, but perhaps doing so incorrectly. We'll fix this via PG-2806, hopefully in the next maintenance release.

Thanks,
Alana

Hi @frei_zs,

This is not supported; is there a reason that you'd want to do that?

My understanding is that signing keys are an outdated/vestigial concept that only makes sense if you're not using SSL/HTTPS.

Thanks,
Alana

Hi @andy222

I'm afraid we don't have that capability in OtterScript, and it would require a new variable function to do that. You might be able to add that in an extension, or we could add it as well.. but we have a few things we want to finish first on our BuildMaster 2024 roadmap.

Since you're creating build variables using the API, I wonder if you could just create a variable called @BuildVariables that is just a list of the variables you're creating. Then you can use $BuildVariable(name) to get the value.

Hope that helps,
Alana

@pariv_0352 oh interesting - for some reason I thought NuGet was used for C++ packages...

I just did a quick look, and it doesn't look like vcpkg supports private registries; it only looks for package files on disk (share drive?) or in a Git repository:
https://learn.microsoft.com/en-us/vcpkg/maintainers/registries

So I guess the first step would be to ask the vcpkg team to create a package registry :)

Hi @daniel-lundqvist_1790 ,

I'm not really sure what you're trying to accomplish, but I'll try to give some background surrounding your questions.

First, some quick terminology:

• Assets are basically just files in folders, like an S3 bucket or share drive. You could put whatever you'd like in an asset directory.
• A Build is basically a "set of related SBOM files" and is basically a way to organize/track SBOMs and their compliance
• An SBOM is basically a list of purls (package type/names/versions/etc) and purls almost always refer to third-party, OSS packages. However, ProGet can (and often will) cache these OSS packages in feeds.
• Universal Packages are intended for your own, proprietary content. They are basically an alternative to storing things in folders or in a file like myApp-3.2.zip
• Dependencies in Universal Packages always reference other a Universal Package or range of packages; they are basically just another metadata field like package description, but with a standard format

I can't say if Universal Packages or Builds/SBOMs are a good fit for your product. It really depends on what what problems you're trying to solve. If you can talk more about that, we'll try to help better.

That said, you could technically craft an SBOM that references Universal Package purls (pkg:/upack/myPackage@4.2.1), and then create/add that to a build, but it doesn't make a lot of sense to me. SBOMs (and SCA in general) is intended for OSS compliance, and that's how ProGet uses it.

pgutil builds scan will generate and upload a basic SBOM file during the build process for .NET, npm, and Python applications. It's basically a lightweight alternative to CycloneDX, which also generates SBOM files.

As for dependencies, neither pgutil nor CycloneDx will read "dependency metadata" from package manifest files; instead they inspect the packages that were installed/downloaded by the build tool. Package dependencies are somewhat orthogonal to SCA/SBOM.

I'm not sure if any tool out there can generate an SBOM file given a list of rpm packages, but they're pretty easy to create with a script and upload to ProGet.

Hope that helps,
Alana

Hi @pariv_0352

I haven't heard of vcpkg before, and it's not listed on our Other Feed Types page - so that probably means you must be the first person to ask :)

Can you share some more information about vcpkg? It looks new... how does it compare to Conan?

Thanks,
Alana

Hi @mars , I'm afraid rafts do not support this setting.

I'm not sure if it's possible, given the library that we use. We are planning to add an option to bypass certificate validation in BuildMaster 2024, so it might be possible to add this option to raft repositories as well. I'll add a note and we'll investigate -- the plan is late October for both BuildMaster 2024 and OTter 2024

Thanks,
Alana