Hello,
Can you share your credentials with us? Easiest way for us to figure iit out is to attach a debugger and see what's happening.
NOTE - I see you also submitted a ticket (EDO-10807), so you can just reply to that. I'll reply here once we figure out a resolution :)
THanks,
Alana
Hi @lucas_001
I'm a bit rusty with these and I'm going off memory, but I know that AHVALUEDRIFTED is supposed to point to a boolean.
Have you tried a script like this instead?
$EnvironmentVariableDesiredValue = $EnvironmentVariableValue
$EnvironmentVariableCurrentValue = [System.Environment]::GetEnvironmentVariable($EnvironmentVariableName, [System.EnvironmentVariableTarget]::Machine)
$EnvironmentVariableDriftedValue = $EnvironmentVariableValue -ne $EnvironmentVariableCurrentValue
Write-Host "Current value of environment variable '$EnvironmentVariableName' is '$EnvironmentVariableCurrentValue'."
if ($ExecutionMode -eq "Collect") {
if ($EnvironmentVariableValue -ne $EnvironmentVariableCurrentValue) {
Write-Information "Environment variable '$EnvironmentVariableName' has drifted from the desired value."
}
else {
Write-Information "Environment variable '$EnvironmentVariableName' is set to the desired value."
}
}
elseif ($ExecutionMode -eq "Configure") {
if ($EnvironmentVariableDriftedValue) {
[System.Environment]::SetEnvironmentVariable($EnvironmentVariableName, $EnvironmentVariableValue, [System.EnvironmentVariableTarget]::Machine)
Write-Information "Environment variable '$EnvironmentVariableName' has been set to the desired value."
}
else {
Write-Information "Environment variable '$EnvironmentVariableName' is set to the desired value."
}
}
That might do the trick... note the only thing aside from logging that's happening is in the execute portion.
Can you try that? Obviously the logging experience should be improved. No idea why there's a JSON parse error happening.
Thanks,
Alana
@tekla-buildmaster_8300 it's on our list for this year :)
This is where using LDAP or SAML comes in; we strongly recommend using that instead, so that users don't have to store/track yet another password.
ProGet's built-in users are really only intended for simple use cases (like ProGet Free edition) or when you're first getting started with ProGet. After that, you should switch to LDAP or SAML.
We can consider adding a password policy, but we'd like to first understand why it's not possible (or too difficult) to use LDAP/SAML.
Thanks,
Alana
Hi @david-cheng_0852 ,
ProGet's Built-in User Directory does not have a password policy/restriction.
Thanks,
Alana
Hi @frei_zs ,
I'm not really sure how signing keys work to be honest, but they seem to be really just used for the InRelease index?
Anyway, it was trivial to add a button to Delete the existing signing key. When you click that button, it will then show a page that allows you to Create a signing key:
So we'll get that in via PG-2807 in the next maintenance release (shipping on Friday).
As far as uploading a custom key, doing via API, etc., that's not trivial... but I'm thinking this will cover your bases. I can't imagine you are swapping these out often (or ever).
Thanks,
Alana
Hi @jw ,
Unfortunately the "deprecated dialog" isn't shown if a package is not in compliance; the noncompliance message is instead displayed. This is something we're aware of and plan to review/fix with the UX redesign.
Alana
Hi @jw ,
These are some "compromises" we've made over the versions that have led a suboptimal UX. Basically, the issue is that we have a single box to work with, and the message is based on:
Displaying multiple boxes doesn't work very well, and the code is already complex enough, so we don't want to mess with it too much more. That said, we are planning to "rethink" the Package Overview Page UI as a whole with the help of a UX agency, hopefully in time for ProGet 2025.
Regarding Visual Studio, something must have changed. The message should be there as we are emitting in the API, but perhaps doing so incorrectly. We'll fix this via PG-2806, hopefully in the next maintenance release.
Thanks,
Alana
Hi @frei_zs,
This is not supported; is there a reason that you'd want to do that?
My understanding is that signing keys are an outdated/vestigial concept that only makes sense if you're not using SSL/HTTPS.
Thanks,
Alana
Hi @andy222
I'm afraid we don't have that capability in OtterScript, and it would require a new variable function to do that. You might be able to add that in an extension, or we could add it as well.. but we have a few things we want to finish first on our BuildMaster 2024 roadmap.
Since you're creating build variables using the API, I wonder if you could just create a variable called @BuildVariables that is just a list of the variables you're creating. Then you can use $BuildVariable(name) to get the value.
Hope that helps,
Alana
@pariv_0352 oh interesting - for some reason I thought NuGet was used for C++ packages...
I just did a quick look, and it doesn't look like vcpkg supports private registries; it only looks for package files on disk (share drive?) or in a Git repository:
https://learn.microsoft.com/en-us/vcpkg/maintainers/registries
So I guess the first step would be to ask the vcpkg team to create a package registry :)
Hi @daniel-lundqvist_1790 ,
I'm not really sure what you're trying to accomplish, but I'll try to give some background surrounding your questions.
First, some quick terminology:
myApp-3.2.zipI can't say if Universal Packages or Builds/SBOMs are a good fit for your product. It really depends on what what problems you're trying to solve. If you can talk more about that, we'll try to help better.
That said, you could technically craft an SBOM that references Universal Package purls (pkg:/upack/myPackage@4.2.1), and then create/add that to a build, but it doesn't make a lot of sense to me. SBOMs (and SCA in general) is intended for OSS compliance, and that's how ProGet uses it.
pgutil builds scan will generate and upload a basic SBOM file during the build process for .NET, npm, and Python applications. It's basically a lightweight alternative to CycloneDX, which also generates SBOM files.
As for dependencies, neither pgutil nor CycloneDx will read "dependency metadata" from package manifest files; instead they inspect the packages that were installed/downloaded by the build tool. Package dependencies are somewhat orthogonal to SCA/SBOM.
I'm not sure if any tool out there can generate an SBOM file given a list of rpm packages, but they're pretty easy to create with a script and upload to ProGet.
Hope that helps,
Alana
Hi @pariv_0352
I haven't heard of vcpkg before, and it's not listed on our Other Feed Types page - so that probably means you must be the first person to ask :)
Can you share some more information about vcpkg? It looks new... how does it compare to Conan?
Thanks,
Alana
Hi @mars , I'm afraid rafts do not support this setting.
I'm not sure if it's possible, given the library that we use. We are planning to add an option to bypass certificate validation in BuildMaster 2024, so it might be possible to add this option to raft repositories as well. I'll add a note and we'll investigate -- the plan is late October for both BuildMaster 2024 and OTter 2024
Thanks,
Alana
Hi @caterina ,
Thanks for checking; I was able to reproduce this; it seems to be a regression.... we'll get it fixed via PG-2795 in next week's maintenance release. Thanks for letting us know.
Thanks,
Alana
Hi @caterina,
I'm not seeing any changes in 2024.14 that would cause this behavior, so I'm not sure what it could be offhand.
The first thing I would check is the connector filtering; can you try that out? It's under Admin > Manage Feed. There might be something in ther.e
You may also see some recent connector errors under Admin > diagnostic Center.
Thanks,
Alana
Hi @jw ,
This doesn't seem like a a trivial change, due to the way those pages work, so I'll add it to the "wishlist" - we've got a lot of other ProGet 2025 roadmap stuff prioritized ahead for the time being :)
Cheers,
Alana
Hi @dan-brown_0128 ,
It doesn't look like there's been much interest in this so far (we haven't heard any othe rrequests for it), but I wanted to mention that Terraform repositories are planned and something we hope to accomplish in the coming months.
Cheers,
Alana
Hi @dan-brown_0128,
Thanks we'll definitely keep this in mind when we explore updating/expanding the feature!
In the meantime, I think there might be a better workflow for you to consider. We wouldn't recommend using "download blocking" for an application packages like this.
The reason is... the status could change, and when you go to deploy the application, it will probably fail in an inconvenient place and the person doing the deployment won't quite get why there's a random error/crash.
Instead, how about using pgutil builds audit as a means to achieve a similar goal? You would run it as a deployment precheck, and the tool would output errors if the compliance status of packages were not acceptable. This will be much more intuitive of a failure, and you could run it early in the process.
I'm not quite sure if pgutil builds audit is suitable today, but I know that's on our shortlist to get working, and create HOWTO guides for using it.
Cheers,
Alana
Hi @jw ,
This can be accomplished with a script using the Set Package Status API; there are a couple scripts that should get you going on there.
Cheers,
Alana
@sebastian said in Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable):
There should be a special treatment for withdrawn vulnerabilities within ProGet. Maybe not deleting them (because I'm pretty sure there will be cases where I will be looking at a package and think "I swear this one had a vulnerability, but now I can't find it?" ), but maybe auto-assess a special status to it.
That's what we were worried about as well, having them dissapear. Perhaps we just delete ones without assessments, and if you set a withdrawn vulnerability unassessed, it gets deleted 
Hi @dan-brown_0128 ,
Thanks for sharing!
#1 and #2 will be pretty easy UI changes - and I'm almost certain there's already a URL for Builds, but it's just not linked.
#3 is complicated, since we do not model package consumers (which would allow you to say "show me all packages that use X") nor do we have the concept of "application packages" (e.g. MyCorp.Package is also a project), so we'd have to really think about how to create a use case for this.
As an FYI, our team we're currently pretty heads-down on feeds (new Maven feed, then Rust/Cargo, Terraform, PHP/Composer, C++/Conan), PostgreSQL migration, and a few other things, but our rough plan is to resume working on SCA stuff in Q1.
If these are a particular blocker for rolling out the feature, we can consider to shift focus.
Hi @sebastian,
Thanks for sharing this...
I don't really know the answer, but I searched for "tree-kill" on Inedo Security Labs, and found three results:
We can see that PGV-22381O7 does say it "affects tree-kill (npm), versions (all)", so that's where the data is coming from in ProGet. My guess is that it's a data update/aggregation problem, maybe related to the Withdrawn status?
There is apparently some use case for all as a version, and I guess it's exactly what you specified? A lot of Redhat/Linux system packages have all versions and get updated later.
Anyway, ISL is managed by a different team, so I'll submit an internal request to review. It doesn't seem so urgent, just inconvenient/incorrect and easy to workaround in ProGet. But let me know if I misread that.
As for "Withdrawn" vulnerabilities... we're open to ideas for what to change in ProGet 2025. There used to just be a handful, but there are a lot more now. Our original was to just delete them from ProGet, but instead we just showed the icon. Maybe we should delete them.
Thanks,
Alana
Hi @caterina ,
Can you try to download the latest version of Inedo Hub at https://my.inedo.com/
That should allow you to install the older version. You can also install an offline installer for the ProGet 2023 version you'd like.
Thanks,
Alana
Hi @steviecoaster ,
I'm not really a PowerShell guru, but I think you'll want to do ...
$base64Salt= [System.Convert]::ToBase64String($saltBytes)
... and then pass that in.
Hope that does it!
Alana
Hi @chris-cantrell_1211 ,
We do not support nor recommend this type of configuration for a couple reasons.
First, it doesn't change the attack surface, since the APIs are already the "weakest link". The Web Site use cryptographically-secured authentication tickets with anti-CRSF protection. The API just requires an API key to access.
Second, it's confusing to end-users who are trying to troubleshoot why some urls aren't accessible. The API may provide them with a link (for example to a vulnerability in a package), and then it will give some kind of error because the page is blocked. This causes everyone a headache.
Obviously you can use a lot of tools to block/allow access to URLs, just not using ProGet.
Cheers,
Alana
Hi @tamir-dahan_7908 ,
Either you're making a typo somewhere, or there is something odd about your Docker/server configuration that is preventing a local network connection. I'm afraid I'm not a Docker expert, so I don't know what else to look for -- it could be specialized security configuration you have or a monitoring tool that's blocking things.
If you have a Docker expert on your team, I would check with them to get some help. Ultimately, ProGet is just an ordinary .NET application making a connection on an ordinary SQL Server that's on the same local network (i.e. inedo-sql)... it's a super-common use case and just works out of the box.
The most common issue is a typo (i.e. inedo-sql in one command and inedosql in another), but since this is such a common use case, if you search "Docker" and "A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible", you'll find a ton of results with lots of different things to try as well.
If you're new to Docker, i would suggest installing with Inedo Hub - it's a lot easier to use.
Cheers,
Alana
The error message coming from ProGet is this:
Unhandled exception: Microsoft.Data.SqlClient.SqlException (0x80131904): A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: TCP Provider, error: 40 - Could not open a connection to SQL Server)
So basically it's a network error, and the ProGet container can't talk to the SQL Server container. I'm not an expert on troubleshooting Docker, but my "guess' would be that the network is different between containers.
This is specified by the net command, and I know I've mistyped that a few times. Here's the script I use to get up and running on Docker:
docker run --name inedo-sql \
-e 'ACCEPT_EULA=Y' -e 'MSSQL_SA_PASSWORD=«YourStrong!Passw0rd»' \
-e 'MSSQL_PID=Express' --net=inedo --restart=unless-stopped \
-d mcr.microsoft.com/mssql/server:2019-latest
docker exec -it inedo-sql /opt/mssql-tools/bin/sqlcmd \
-S localhost -U SA -P '«YourStrong!Passw0rd»' \
-Q 'CREATE DATABASE [ProGet] COLLATE SQL_Latin1_General_CP1_CI_AS'
docker run -d --name=proget --restart=unless-stopped \
-v proget-packages:/var/proget/packages -p 80:80 --net=inedo \
-e PROGET_SQL_CONNECTION_STRING='Data Source=inedo-sql; Initial Catalog=ProGet; User ID=sa; Password=«YourStrong!Passw0rd»' \
proget.inedo.com/productimages/inedo/proget:latest
Hope that helps,
Alana
Hi @jw ,
This error should not be logged and you can ignore it; we'll get it fixed in an upcoming maintenance release of ProGet via PG-2740
Cheers,
Alana
Hi @stefan-seeland_4753 ,
I'm not totally sure what you mean by that... but to clarify, the API is technically called "NuGet API V2 (OData)" and it could be technically used by anything, but probably is just used by the NuGet client or a script/tool that someone wrote that uses it to query the feed.
There is no information available other than that, so you'd need to disable the feature on the feed (and therefore cause an error on the client) or use some kind of access monitoring tool to see where the query is coming from (IP address, etc).
Cheers,
Alana
Hi @jw ,
This will be fixed via PG-2739 in the next maintenance release (scheduled for Friday).
If you want to fix right away, you can download the .sql file that I attached to the linked issue above and run it against the database. Then the delete will work. Upgrading on top of the patch is fine, but if you downgrade then the patch code is overwrriten.
Cheers,
Alana
Hi @caterina ,
This issue looks very familiar, and I'm almost certain it's a bug we fixed/discovered while testing ProGet 2024 prior to release. Basically, the npm scope was not considered for vulnerability searches during build analysis.
This should not happen in ProGet 2024.
Thanks,
Alana
Hi @matt-wood_5559,
Our solution for Maven builds is to leverage CycloneDX to generate the SBOM, and then upload that SBOM to ProGet: https://docs.inedo.com/docs/proget-sca-java
We had considered reproducing the functionality, but the only way to get dependency information from a Maven project is to create a Maven plugin and "watch" the build as it happens --- and that's already what CycloneDX does very effectively.
If you can think of ways to make it easier to work with pgutil we're very open to that :)
Thanks,
Alana
Hi @matt-wood_5559,
I think I understand what you're asking - basically you'd like to create a feed when some users see one set of packages, but other users see a different set?
This is definitely not possible, and it's simply not something ProGet does from a design standpoint: i.e. "file-system type" granular permissions.
While it might seem convenient or nice to give users "just a single URL" to access, it ends up makes things much more complicated to configure/use/maintain. Basically some users will get random "package not found" errors while others will build fine. It'd be very confusing and big headache.
Instead, it's best to educate on different feeds/repositories, and help them use and request access as needed.
Hope that helps,
Alana
Hi @matt-wood_5559,
I might need a little more information / screenshots with what you're looking at here....
There could be a bug/oversight, etc. Perhps you could walk through steps / show screenshots of what you're seeing? If it's on maven central, we can then repro and take a look
Thanks,
Alana
Hi @matt-wood_5559,
A Maven package's license is determined by the license field in the POM:
https://maven.apache.org/pom.html#Licenses
There are unfortunately no real standards here, and the author can put in anything from a SPDX Code (which is recommended, by the way) to a string like "Apache license" (which probably means apache 2.0, but who knows?).
We would rather not guess what the author might have intended, so ProGet only detects licenses with SPDX codes and then lets you decide how assign which codes to other license types as you come across packages that don't follow SPDX.
However, once you start associating those strings with licenses, it will work for future packages.
Thanks,
Alana
Hi @matt-wood_5559 ,
You should be able to upload any file type. There is a drop down on the upload page, but that's for the popular types and is kind of an example. Typically the fies are uploaded via Maven/CLI anyway, and not the UI.
Thanks,
Alana
@forbzie22_0253 setting the proxy programmatically is not something we currently support or document at this time, but if you're dedicated you could use native API to the newly-developer settings API:
https://github.com/Inedo/pgutil/blob/thousand/pgutil/Settings/ListCommand.cs
It's configured via values in the Configuration table.
@francesco-campanella_3733 thanks for continuing to research this - we just haven't had a chance to look further. Did you try editing the feed settings (especially the Feed Features, which would save a new Feed Config), and then re-saving again? We will fix the bug, I would just like to be able to reproduce it so we know for sure what's causing it :)
@apxltd heard this from a user on the support forums today...
We also came across this issue: https://github.com/dotnet/SqlClient/issues/2378 which suggests it might have started with the recent 5.2.x versions of Microsoft.Data.SqlClient (I did confirm that this is the version Proget is using).
Maybe we can downgrade to 5.1 and see if it helps at all
Hi @jw ,
It's unlikely we will want to add/change this; what you're describing isn't a supported use case, and adding a "second URL" type field that would be empty on nearly every license would be confusing.
Our general recommendation for dealing with non-OSS licenses has been to create a code like DEVEXPRESS or ASPOSE, and treat them as all the others.
If there's more user demand for the particular use case we'll definitely reconsider. For now the licenses are confusing enough :)
Thanks,
Alana
Hi @jw ,
This is not possible; ProGet only stores this portion of the URL and uses that URL fragment for license detection. This is important, because then users won't have to specify every variation of a license URL that packages will present.
Thanks,
Alana
When the license information is invalid, ProGet will give an error on most API URLS (I think a 400, but I'm not totally sure) and will redirect to license info on Web page URLS.
ProGet will attempt to auto-activate the license key if there is an activation problem; so that may delay the first request.
The bes tway to check for license validity is to visit or use the API, and if it fails with "invalid license" then you know it's invalid.
The /health Page should also display this I believe.
Thanks,
Alana
@forbzie22_0253 when you select "Use Windows Proxy Setting", then ProGet will use the proxy that's configured for the operating system. You can select/set this on the Proxy Settings page.
@francesco-campanella_3733 sorry not seeing the issue yet....one more column 
Can you run this?
SELETE Feed_Id, FeedType_Name, FeedConfiguration_Xml FROM Feeds
Screenshot is okay, we can figure the XML from the post above if needed.
You can use Feed_Name instead of Feed_Id, it's up to you -- i want some kind of reference in case I want to ask you to try something in UI
Hi @francesco-campanella_3733 ,
Based on the error message, I'm thinking that one of the feeds has some kind of legacy/odd configuration, and that's causing an error in the API (which is why the library and pgutil aren't working either).
Without looking at your database, I think the easiest way to fix it is to go the Manage Feed page, and then edit/save Feed Features or NuGet settings.
If we saw the results of SELECT * FROM [Feeds], but in particular the FeedConfiguration_Xml column, we could be for sure
Thanks,
Alana
Hi @fabio-xodo_3872 ,
This is not captured in an output variable, but you can control which exit code means success or failure:
Exec MyProcess.exe
(
SuccessExitCode: "> 0"
);
Another alternative is to write a PowerShell script that captures the output as a variable, if you need to do logic based on multiple codes.
We could always add support for capturing it as an output variable as well.
hope that helps,
Alana
Hi @sebastian,
I took a quick look, but its not a simple cherry-pick; this is a bug in the code that does policy analysis, and there were enough changes between ProGet 2023 and ProGet 2024 in that to make it a bit risky / time-consuming to bring over...
Thanks,
Alana
Just wanted to give a brief update to the issue from @mortenf_3736 that we discussed via the support ticket.
We were never able to get to the bottom of it, but it was entirely related to running on ACA.
| Container Setup | VM Setup |
|---|---|
| Azure Container Apps - Running 4 minimum replicas, max 8 replicas, each 3 cores and 6gb memory | Two D4 (4 cores, 16GB memory) VM with internal load balancer in front between them |
| Mapped storage from Azure Storage Account v2 Fileshare | Managed Premium Shared Disk, connected to Fail-over Cluster and shared between both VM |
| Azure SQL Database with 4 cores dedicated | Azure SQL Database Server less, scaling between 0.5 to 4 cores |
This doesn't seem to be related to Linux/Docker/Kubernetes, as we have several high-traffic users on Kubernetes clusters without issues like this. However, we have seen a handful of Azure-related problems over the years that manifested in ProGet:
So we believe the issue is the Azure platform itself, similar to the above hardware/software glitches we've uncovered over the past.
We're doing our best to research/identifying issues, and Inedo/ProGet Users aren't the only ones who are experiencing pain like this. Consider this report from a Azure "big data" user:
I have suffered from chronic socket exceptions in multiple Azure platforms - just as everyone else is describing. The main pattern I've noticed is that they happen within Microsoft's proprietary VNET components (private endpoints). They are particularly severe in multi-tenant environments where several customers can be hosted on the same hardware (or even in containers within the same VM.
The problems are related to bugs in Microsofts software-defined-networking components (SDN proxies like "private endpoints" or "managed private endpoints"). I will typically experience these SDN bugs in a large "wave" that impacts me for an hour and then goes away. The problems have been trending for the worse over the past year, and I've opened many tickets (Power BI, ADF, and Synapse Spark).
Other Azure users (who are much more technical than we are) have confirmed that there are indeed severe issues with their SDN infrastructure. Microsoft does appear to be aware of these endemic issues with their platform, and for the time being we simply cannot recommend using Azure's container services for anything that will have any kind of load.
Hope that gives some insight in case anyone stumbles across this thread.
Alana
The error is incorrect; should say Required property missing: packagePermissions.
Since we don't document that one very well yet, I'd make sure it works with pgutil., and consider capturing traffic. Then, if you have an example we can post on the docs page, happy to add that to the docs.
Here is the client code as an FYI:
https://github.com/Inedo/pgutil/blob/thousand/pgutil/ApiKeys/Create/FeedCommand.cs
Thanks,
Alana