Hi @atripp
I think packages has to be iterated instead. I haven't seen dependencies beneath packages.
Further, the "empty" Key has to be ignored as it stands for the root project:
Maybe a little bit parsing would be necessary.
In lockfileVersion 2 a dependency was listed like this:
In lockfileVersion 3 it looks like this:
If desired, we can also upload package-lock.json files for testing via MyInedo.
Hi @dean-houston,
thank you for your response. Using your provided template the webhook is working.
The webhook is being triggered several times, but the issues property always has an empty array:
If I have a look at this specific build, the issues tab does not show any issues:
Can you tell me why exactly the "issues opened on build"-notifier is being triggered by this build?
We do have a lot of this cases.
Thanks,
Caterina
Hi @stevedennis,
as mentioned in my initial post, no customizations have been made:
The package event notifier are working this way.
I also tried to use the template from your documentation (https://docs.inedo.com/docs/proget/administration/proget-notifications-webhooks), but we got the same error:
Hope this helps.
Thanks,
Caterina
Hi,
we are trying to introduce a new notifier in ProGet Version 2024.25 (Build 11).
We are already using a custom webhook which notifies us if a package has been added.
Now we wanted to create a webhook that notifies us if a issue has opened on one of our builds.
No special settings have been made, just basic selections. Using the default settings would be fine for first tests.
The documentation for this type of notifier says that it is being triggered after the ComplianceAnalyzer scheduled job has been run. So I did that, but afterwards I got an error on my notifier:
Accessing the same webhook with a package notifier works just fine, so it seems to be an issue with this specific sca event notifier.
Is it necessary to make specific settings for this type of notifier? Or can you confirm that there is an error?
Thanks,
Caterina
Hi @rhessinger,
sorry for the late response, this somehow slipped my mind.
Your suggestion looks good to me. The description is easy to understand and also the parameter name is very descriptive.
Thanks,
Caterina
Hi @atripp,
I was able to test the new version of ProGet and there still seems to be a weird behavior.
Again I am using my test-project 'BuildStageTest'. I deleted all existing builds to give it a "fresh start".
Creating a build via SBOM upload seems to be working fine. This way I created build 1.0.0:
As you can see, there are no other builds in my project.
If I try to create the same version via "Create Build" you display an error (which is great):
But if I try to manually create build 2.0.0 I get the same error even if the build is not existing:
I thought that there might be an issue because build 2.0.0 already existed in previous tests. But I deleted all builds as you can see from the ui and the database screenshots above.
So I also created a completely new project and tried to manually create builds. But for some versions i do get the error message (I was not able to manually create 1.0.0, 2.0.0, 4.0.0, but some other versions were working just fine):
Are you able to reproduce this behavior?
Thanks,
Caterina
Hi @atripp,
I think uploading a SBOM should not modify other metadata of a build (e.g. Build Stage, BuildStatus). I also can't see a usecase where it would be necessary to updoad a SBOM for an inactive build. Even if you do not prevent it, it should not change the BuildStatus I guess 
.
For the duplicates: those are indeed two different builds. I can also see it in the database:
The difference here is Release_Number. If a build gets created via SBOM the Release_Number is NULL. If I use "Create Build" the Release_Number is empty. Both Build_Number are the same. None of it containes a whitespace.
Best,
Caterina
Hi @atripp,
to be honest, I am still confused. Let me explain my approach in more detail:
So I created a test project which does not contain any builds yet:
I want to add build 1.0.0 to this project. To do so, I upload an SBOM file containing the information about version 1.0.0. I also promote this version to the stage "Release":
Now the worst case scenario happens. After months someone uploads a different sbom with version 1.0.0 to this project. I can confirm that the information from the "new" sbom gets added. But the build is also moved back to the stage "Build":
I would expect that the build remains in its stage. But maybe you have a valid reason to do it like this?
So now I used "Create Build" from the dropdown to manually create version 1.0.0 again, which leads to two versions 1.0.0:
If I now upload a SBOM for version 1.0.0 only the first version 1.0.0 gets modified. The second, manually created version 1.0.0 remains unchanged.
Further, I created a version 2.0.0 manually using "Create Build". Then I uploaded a SBOM for version 2.0.0, which again results in two builds with version 2.0.0:
As far as I understood your explanation, uploading a SBOM should have added the information to the already existing build 2.0.0 instead of creating a new build?
You also said that the constraint for duplicates is <Project_Id, Release_Number, Build_Number>.
So for versions 1.0.0 the Project_Id as well as the Build_Number are the same. The Release_Number is empty for both builds (or not set):
Maybe that's a problem leading to having a build twice? But this seems to be the default when using pgutil to create and upload a SBOM. I am not really sure how this Release_Number property should be used and how it is set using pgutil.
But if this behavior is on purpose maybe you can again explain to me why?
Thanks
Caterina
Hi @atripp,
thank you for the clarification. I can confirm this behavior.
Thank you very much,
Caterina
Edit:
If I first use "Create Build" to create build 3.0.0 and afterwards "Import SBOM" to create build 3.0.0 I have two builds with version 3.0.0 in my project.
The same happens if I do it vice versa.
Hi,
there are two possibilities to create a build in a project in ProGet 2024.
I can select between "Create Build" and "Import SBOM".
I was interested in what would happen if I create a build with the same version twice.
Both of those options create a new build but with a different behavior.
If I select "Create Build" to create e.g. build 1.0.0 and I do this a second time I get an error:
If I select "Import SBOM" to create build 2.0.0 and I do this a second time, the first build gets deleted and overwritten I think. Because if build 2.0.0 is in another stage and I try to import the SBOM to my default stage, the build is available in the default stage and no longer in the other stage.
Shouldn't these two options behave the same?
If we use pgutil to import a SBOM we would prefer that previous builds would not be overwritten. It should no happen that a build with the same version gets created twice, but sometimes mistakes happen. In this case the previous build should not be deleted without a warning.
Can you please have a look into this szenario? Maybe we can also discuss what would be the best behavior for pgutil in this case.
Thanks
Caterina