RE: pgscan: lockfileVersion 3 for npm dependencies not supported

Hi @atripp

I think packages has to be iterated instead. I haven't seen dependencies beneath packages.
Further, the "empty" Key has to be ignored as it stands for the root project:

Maybe a little bit parsing would be necessary.
In lockfileVersion 2 a dependency was listed like this:

In lockfileVersion 3 it looks like this:

If desired, we can also upload package-lock.json files for testing via MyInedo.

Hi @rhessinger,

sorry for the late response, this somehow slipped my mind.

Your suggestion looks good to me. The description is easy to understand and also the parameter name is very descriptive.

Thanks,
Caterina

Hi @atripp,

I was able to test the new version of ProGet and there still seems to be a weird behavior.

Again I am using my test-project 'BuildStageTest'. I deleted all existing builds to give it a "fresh start".
Creating a build via SBOM upload seems to be working fine. This way I created build 1.0.0:


As you can see, there are no other builds in my project.

If I try to create the same version via "Create Build" you display an error (which is great):

But if I try to manually create build 2.0.0 I get the same error even if the build is not existing:

I thought that there might be an issue because build 2.0.0 already existed in previous tests. But I deleted all builds as you can see from the ui and the database screenshots above.
So I also created a completely new project and tried to manually create builds. But for some versions i do get the error message (I was not able to manually create 1.0.0, 2.0.0, 4.0.0, but some other versions were working just fine):

Are you able to reproduce this behavior?

Thanks,
Caterina

Hi @atripp,

I think uploading a SBOM should not modify other metadata of a build (e.g. Build Stage, BuildStatus). I also can't see a usecase where it would be necessary to updoad a SBOM for an inactive build. Even if you do not prevent it, it should not change the BuildStatus I guess .

For the duplicates: those are indeed two different builds. I can also see it in the database:

The difference here is Release_Number. If a build gets created via SBOM the Release_Number is NULL. If I use "Create Build" the Release_Number is empty. Both Build_Number are the same. None of it containes a whitespace.

Best,
Caterina

Hi @atripp,

to be honest, I am still confused. Let me explain my approach in more detail:

So I created a test project which does not contain any builds yet:

I want to add build 1.0.0 to this project. To do so, I upload an SBOM file containing the information about version 1.0.0. I also promote this version to the stage "Release":

Now the worst case scenario happens. After months someone uploads a different sbom with version 1.0.0 to this project. I can confirm that the information from the "new" sbom gets added. But the build is also moved back to the stage "Build":

I would expect that the build remains in its stage. But maybe you have a valid reason to do it like this?

So now I used "Create Build" from the dropdown to manually create version 1.0.0 again, which leads to two versions 1.0.0:

If I now upload a SBOM for version 1.0.0 only the first version 1.0.0 gets modified. The second, manually created version 1.0.0 remains unchanged.

Further, I created a version 2.0.0 manually using "Create Build". Then I uploaded a SBOM for version 2.0.0, which again results in two builds with version 2.0.0:

As far as I understood your explanation, uploading a SBOM should have added the information to the already existing build 2.0.0 instead of creating a new build?

You also said that the constraint for duplicates is <Project_Id, Release_Number, Build_Number>.
So for versions 1.0.0 the Project_Id as well as the Build_Number are the same. The Release_Number is empty for both builds (or not set):

Maybe that's a problem leading to having a build twice? But this seems to be the default when using pgutil to create and upload a SBOM. I am not really sure how this Release_Number property should be used and how it is set using pgutil.

But if this behavior is on purpose maybe you can again explain to me why?

Thanks
Caterina

Hi @atripp,

thank you for the clarification. I can confirm this behavior.

Thank you very much,
Caterina

Edit:

If I first use "Create Build" to create build 3.0.0 and afterwards "Import SBOM" to create build 3.0.0 I have two builds with version 3.0.0 in my project.
The same happens if I do it vice versa.

Hi,

there are two possibilities to create a build in a project in ProGet 2024.
I can select between "Create Build" and "Import SBOM".

I was interested in what would happen if I create a build with the same version twice.
Both of those options create a new build but with a different behavior.

If I select "Create Build" to create e.g. build 1.0.0 and I do this a second time I get an error:

If I select "Import SBOM" to create build 2.0.0 and I do this a second time, the first build gets deleted and overwritten I think. Because if build 2.0.0 is in another stage and I try to import the SBOM to my default stage, the build is available in the default stage and no longer in the other stage.

Shouldn't these two options behave the same?

If we use pgutil to import a SBOM we would prefer that previous builds would not be overwritten. It should no happen that a build with the same version gets created twice, but sometimes mistakes happen. In this case the previous build should not be deleted without a warning.

Can you please have a look into this szenario? Maybe we can also discuss what would be the best behavior for pgutil in this case.

Thanks
Caterina

Hi,

while comparing ProGet 2023 with ProGet 2024 I noticed that a project has an issue in ProGet 2024 but not in 2023.

In ProGet 2024 the project shows a warning for the package "DevExpress.Win.Gauges 21.2.7" (this package comes from a proxy-feed). The warning is "because of package status (unlisted, deprecated) is unknown, no license detected".
But if I have a look at the package the license is being detected and it has no vulnerabilities or other issues.

In ProGet 2023 the same project referencing the same package does not have an issue.

I hope I could make the problem clear, unfortunately the server won't let me upload screenshots for some reason.

Thanks,
Caterina

Hi @atripp,

the default behavior of the NpmDependencyScanner is to read the input file as well as all package-lock.json files found in the node_modules directory.

Rich and I had a longer discussion about this behavior last year (https://forums.inedo.com/topic/3934/pgscan-different-results-for-npm-dependencies/13).
Result of this discussion was to add "--package-lock-only" to be able to ignore the package-lock.json files in node_modules.

The code for this is already part of pgutil ('packageLockOnly'-property in NpmDependencyScanner). The only thing missing here is the possibility to set this property from the outside.

Thanks,
Caterina

Hi @atripp,

this feature is necessary for us because we have products where we are not able to access the version otherwise. But we want to have the according information about this project, so we implemented the possibility to read the version from a .dll or .exe.
It just extends the current functionality and I think it would also be a great addition for pgutil.

It is not limited to .NET since we were using System.Diagnostics.FileVersionInfo.GetVersionInfo() to retrieve the information in pgscan.

I think instead of 'identify' it is now 'builds scan'. It is a property which is necessary for sbom generation. So I would suggest that 'builds scan' and 'builds sbom' in pgutil should support this option.

Thanks,
Caterina