RE: pgutil: Can not find ConsoleMan

Hi @stevedennis,

thank you.
It looks like you guys created a seperate repo for ConsoleMan:
https://github.com/Inedo/ConsoleMan

I guess this one creates the NuGetPackage?

Thanks,
Caterina

Hi all,

I got the latest source code of pgutil and wanted to compile it.
Unfortunately, I get the error that the package 'ConsoleMan' can not be found.
I know that there was the project 'ConsoleMan' in previous versions but it seems like it has been removed.

Is there something special I have to do to build the solution? Maybe I am missing something.

Thanks
Caterina

Hi @atripp,

so as far as I understood it, one should not tag packages with the latest Tag themself, npm handels that tag.
If no specific tag is given, "npm publish" gives the latest tag to the last uploaded version. And if a new version is uploaded without a specific tag, this version gets the latest tag and it is being removed from the former package.

But we would also lose the tags if we manually tag them. Maybe we want to separate between testversions and productionversions with tags. Just a thought. We also lose this tag during promotion.

So maybe you can not only promote the latest tag but all tags? To lose information about a package is always bad I guess.

Tanks,
Caterina

Hi all,

we noticed that some of our npm packages are missing its tags.
Having a closer look at that issue we noticed that the tags are lost during promotion.
Usually, we upload our packages with the tag "latest" to a testfeed. After testing we promote the package to our live feed. In the testfeed we can see the tag, in the live feed the tag is missing.

Testfeed:

LiveFeed:

We usually promote packages using the api but it also happens when we manually promote packages.

We also noticed that manually adding a npm package is not saving the tag. In the upload window you already suggest the tag "latest" so we just leave it:

But the tags are empty after the upload:

We noticed this behavior because we are using "npm outdated" to check if there are newer versions of installed npm packages. This command scans registries for the package with the tag "latest" but we never got any suggestions for our packages.

Can you verify this behavior?

Thanks,
Caterina

Hi @rhessinger,

thank you for pointing out the feed features. License detection was not enabled in the feed I used for testing. After activating the feature the package is being reanalyzed correctly and the global policy is being used.

Thanks
Caterina

Hi Steve,

thanks for clarifying things.
I was just wondering: If I create a feed policy the UI looks like that:

I set "PolyForm-Noncommercial-1.0.0" as compliant for the feed but it is noncompliant in the global policy. The noncomliant part of my global policy is crossed out completely. Does that mean it is ignored? Or is that a UI issue because only "PolyForm-Noncommercial-1.0.0" should be crossed out?

I also tried to use the Reanalyze Task with the following result (The package has the license "PolyForm-Noncommercial-1.0.0"):
In the feed "NuGet" (the original feed of the package) I see this log:

If I reupload/promote this package to another feed and reanalyze it I see this log:

It looks like the global policy is not being considered? A policy is being found but it does not seem to be applied?

Maybe you can tell me more about that behavior.

Thanks
Caterina

Hi all,

we tried to work on global and feed policies and we do have some questions regarding this topic. We are currently working on Version 2024.38.

If a feed policy is active, will the global policy also be evaluated when analyzing the packages in this feed? Or will the global policy completely be ignored?

Let's work with an example for our next question:
I have a feed called "NuGet". This feed contains the package "EPPlus 6.0.6" which has the license "PolyForm-Noncommercial-1.0.0".
In my NuGet policy i set this license as "Compliant" and in my Global policy i set this license to "Noncompliant".
Is it correct to assume that the package will by Compliant in the feed "NuGet" but should be Noncompliant in any other feed?
Because if I upload the package to another feed (which has no specific feed poilcy) the package is listed as compliant:

If I remove the feed policy, this package is shown as Noncompliant in this specific feed. But if I reupload or promote it to another feed it is shown as Compliant. So maybe this has nothing to do with the policies, but not sure.

In general we are just curious about how the policies interact with each other.

Thanks
Caterina

Hi all,

we are still evaluating if we should move from ProGet 2023 to ProGet 2024 and we noticed some missing information:
We are currently using pgscan to upload the SBOMs for our projects. We also provide the project-type (usually "application" or "library"). We provide this information because we are actively working with it. The SBOM on ProGet 2023 looks like this:

The SBOM of the same project after migrating to ProGet 2024 looks like this:

We lost the information about the project type which is not acceptable for us.

I thought that it might be a problem of the migration, so I explicitly used pgscan to upload an SBOM directly to ProGet 2024. Same problem. the project-type is Null. Then I thought, ok maybe it is a problem with pgscan in combination with ProGet 2024 so I used pgutil to upload an SBOM. Same problem. We lose the information about the project type.

Also the timestamp behaves different. The timestamp on ProGet 2023 is the timestamp of the creation of the SBOM and is always the same. The timestamp on ProGet 2024 is the timestamp of the download of the SBOM and is different each time I download the same SBOM.

Can you confirm this behavior? Or am I doing something wrong maybe?
Unfortunately, losing this information will definitly block our migration.

Thanks,
Caterina

Hi,

I have a question regarding the SCA & Build Restrictions of ProGet 2024 in the Basic edition.
We are still using ProGet 2023 because of the limitation for 1000 active builds.
Is this limitation only for the Package Analyzer?
Or will there be an error once i have 1000 active builds and try to create one more?
Or am I able to upload sboms for more than 1000 builds and have the information about used components but am not able to scan for issues?

Where exactly would this limit hit us? Because we do have more than 1000 active builds and there are new ones each day.
Would an upgrade be possible? Or is the limitation for 1000 active builds a hard limit?

Thanks,
Caterina

Hi,

it looks like the notifier is still being triggered if there are 0 issues in 2024.31.
Can you confirm this? Hoped it had been fixed by now.

Thanks,
Caterina

Hi @dean-houston,

thank you for your response. Using your provided template the webhook is working.

The webhook is being triggered several times, but the issues property always has an empty array:

If I have a look at this specific build, the issues tab does not show any issues:

Can you tell me why exactly the "issues opened on build"-notifier is being triggered by this build?
We do have a lot of this cases.

Thanks,
Caterina

Hi @stevedennis,

as mentioned in my initial post, no customizations have been made:

The package event notifier are working this way.
I also tried to use the template from your documentation (https://docs.inedo.com/docs/proget/administration/proget-notifications-webhooks), but we got the same error:

Hope this helps.

Thanks,
Caterina

Hi,

we are trying to introduce a new notifier in ProGet Version 2024.25 (Build 11).
We are already using a custom webhook which notifies us if a package has been added.
Now we wanted to create a webhook that notifies us if a issue has opened on one of our builds.

No special settings have been made, just basic selections. Using the default settings would be fine for first tests.
The documentation for this type of notifier says that it is being triggered after the ComplianceAnalyzer scheduled job has been run. So I did that, but afterwards I got an error on my notifier:

Accessing the same webhook with a package notifier works just fine, so it seems to be an issue with this specific sca event notifier.

Is it necessary to make specific settings for this type of notifier? Or can you confirm that there is an error?

Thanks,
Caterina

Hi @rhessinger,

sorry for the late response, this somehow slipped my mind.

Your suggestion looks good to me. The description is easy to understand and also the parameter name is very descriptive.

Thanks,
Caterina

Hi @atripp,

I was able to test the new version of ProGet and there still seems to be a weird behavior.

Again I am using my test-project 'BuildStageTest'. I deleted all existing builds to give it a "fresh start".
Creating a build via SBOM upload seems to be working fine. This way I created build 1.0.0:


As you can see, there are no other builds in my project.

If I try to create the same version via "Create Build" you display an error (which is great):

But if I try to manually create build 2.0.0 I get the same error even if the build is not existing:

I thought that there might be an issue because build 2.0.0 already existed in previous tests. But I deleted all builds as you can see from the ui and the database screenshots above.
So I also created a completely new project and tried to manually create builds. But for some versions i do get the error message (I was not able to manually create 1.0.0, 2.0.0, 4.0.0, but some other versions were working just fine):

Are you able to reproduce this behavior?

Thanks,
Caterina

Hi @atripp,

I think uploading a SBOM should not modify other metadata of a build (e.g. Build Stage, BuildStatus). I also can't see a usecase where it would be necessary to updoad a SBOM for an inactive build. Even if you do not prevent it, it should not change the BuildStatus I guess .

For the duplicates: those are indeed two different builds. I can also see it in the database:

The difference here is Release_Number. If a build gets created via SBOM the Release_Number is NULL. If I use "Create Build" the Release_Number is empty. Both Build_Number are the same. None of it containes a whitespace.

Best,
Caterina

Hi @atripp,

to be honest, I am still confused. Let me explain my approach in more detail:

So I created a test project which does not contain any builds yet:

I want to add build 1.0.0 to this project. To do so, I upload an SBOM file containing the information about version 1.0.0. I also promote this version to the stage "Release":

Now the worst case scenario happens. After months someone uploads a different sbom with version 1.0.0 to this project. I can confirm that the information from the "new" sbom gets added. But the build is also moved back to the stage "Build":

I would expect that the build remains in its stage. But maybe you have a valid reason to do it like this?

So now I used "Create Build" from the dropdown to manually create version 1.0.0 again, which leads to two versions 1.0.0:

If I now upload a SBOM for version 1.0.0 only the first version 1.0.0 gets modified. The second, manually created version 1.0.0 remains unchanged.

Further, I created a version 2.0.0 manually using "Create Build". Then I uploaded a SBOM for version 2.0.0, which again results in two builds with version 2.0.0:

As far as I understood your explanation, uploading a SBOM should have added the information to the already existing build 2.0.0 instead of creating a new build?

You also said that the constraint for duplicates is <Project_Id, Release_Number, Build_Number>.
So for versions 1.0.0 the Project_Id as well as the Build_Number are the same. The Release_Number is empty for both builds (or not set):

Maybe that's a problem leading to having a build twice? But this seems to be the default when using pgutil to create and upload a SBOM. I am not really sure how this Release_Number property should be used and how it is set using pgutil.

But if this behavior is on purpose maybe you can again explain to me why?

Thanks
Caterina

Hi @atripp,

thank you for the clarification. I can confirm this behavior.

Thank you very much,
Caterina

Edit:

If I first use "Create Build" to create build 3.0.0 and afterwards "Import SBOM" to create build 3.0.0 I have two builds with version 3.0.0 in my project.
The same happens if I do it vice versa.

Hi,

there are two possibilities to create a build in a project in ProGet 2024.
I can select between "Create Build" and "Import SBOM".

I was interested in what would happen if I create a build with the same version twice.
Both of those options create a new build but with a different behavior.

If I select "Create Build" to create e.g. build 1.0.0 and I do this a second time I get an error:

If I select "Import SBOM" to create build 2.0.0 and I do this a second time, the first build gets deleted and overwritten I think. Because if build 2.0.0 is in another stage and I try to import the SBOM to my default stage, the build is available in the default stage and no longer in the other stage.

Shouldn't these two options behave the same?

If we use pgutil to import a SBOM we would prefer that previous builds would not be overwritten. It should no happen that a build with the same version gets created twice, but sometimes mistakes happen. In this case the previous build should not be deleted without a warning.

Can you please have a look into this szenario? Maybe we can also discuss what would be the best behavior for pgutil in this case.

Thanks
Caterina

Hi,

while comparing ProGet 2023 with ProGet 2024 I noticed that a project has an issue in ProGet 2024 but not in 2023.

In ProGet 2024 the project shows a warning for the package "DevExpress.Win.Gauges 21.2.7" (this package comes from a proxy-feed). The warning is "because of package status (unlisted, deprecated) is unknown, no license detected".
But if I have a look at the package the license is being detected and it has no vulnerabilities or other issues.

In ProGet 2023 the same project referencing the same package does not have an issue.

I hope I could make the problem clear, unfortunately the server won't let me upload screenshots for some reason.

Thanks,
Caterina

Hi @atripp,

the default behavior of the NpmDependencyScanner is to read the input file as well as all package-lock.json files found in the node_modules directory.

Rich and I had a longer discussion about this behavior last year (https://forums.inedo.com/topic/3934/pgscan-different-results-for-npm-dependencies/13).
Result of this discussion was to add "--package-lock-only" to be able to ignore the package-lock.json files in node_modules.

The code for this is already part of pgutil ('packageLockOnly'-property in NpmDependencyScanner). The only thing missing here is the possibility to set this property from the outside.

Thanks,
Caterina

Hi @atripp,

this feature is necessary for us because we have products where we are not able to access the version otherwise. But we want to have the according information about this project, so we implemented the possibility to read the version from a .dll or .exe.
It just extends the current functionality and I think it would also be a great addition for pgutil.

It is not limited to .NET since we were using System.Diagnostics.FileVersionInfo.GetVersionInfo() to retrieve the information in pgscan.

I think instead of 'identify' it is now 'builds scan'. It is a property which is necessary for sbom generation. So I would suggest that 'builds scan' and 'builds sbom' in pgutil should support this option.

Thanks,
Caterina

Hi,

I see that the Dependency Scanner for npm projects is able to handle "packageLockOnly" (like it was the case in pgscan). But I can't seem to find an option to set this flag from the outside.

Maybe this option has been overlooked? Or I am missing it?
I appreciate the help.

Thanks,
Caterina

Hi,

in pgscan it was possible to read the product name and version from a given file using --fileInfo (for 'identify) or --consumer-package-file (for 'publish').

I think this is missing in pgutil? Or am I missing something here?
It looks like the SbomCommand and the ScanCommand can only handle the properties --project-name and --version. But I can't see an option for a file.

Hopefully you can help me with this issue.

Thanks,
Caterina

Hi @gdivis

thank you for your response. This is what I was looking for!

Thanks,
Caterina

Hi,

in pgscan we introduced the possibility to write an SBOM to a local output file instead of uploading it to the server using the flag '--output-file'.
Is this still possible in pgutil? I don't seem to find an option to do this.
It was always really helpful for testing purposes.

Thanks,
Caterina

Hi @rhessinger,

thank you very much! We will just wait for the next release and I will come back to you if we encounter further problems.

Thanks,
Caterina

Hi @Dan_Woolf,

thank you for the quick fix.
But the promotion call does not seem to promote the build. The build remains in its initial stage.
From pgutil I do get the feedback "Promoting BuildStageTest 1.1.0 to Test/Production/Integration". I tested it with all of our stages. But if I have a look at ProGet the build is still in the initial stage "Build".
Can you reproduce this behavior as well?

Thanks,
Caterina

Hi @stevedennis,

thank you for your response.
Maybe you can also help me with a follow-up-problem.

I created a project using

pgutil builds projects create --project=BuildStageTest

and i created a build using

pgutil builds scan --input=<path-to-sln> --project-name=BuildStageTest --version=1.1.0 --api-key=***

Those steps worked perfectly fine:

Afterwards I wanted to promote this build to another stage:

pgutil builds promote --build=1.1.0 --project=BuildStageTest --stage=Test --api-key=***

but I got an error:
Server responded with BadRequest (400): Missing required query argument: build

I really hope you can help me here as well.

Thanks,
Caterina

Hi,

I have questions regarding the usage of pgutil.

Our previous approach using pgscan was to upload an sbom which contained all necessary information. The project was automatically created.
As far as I understand, uploading an sbom with pgutil (pgutil.exe builds scan) also creates the project without explicitly creating one (pgutil.exe builds create).
Using the promote command (pgutil.exe builds promote) a build can be promoted to a different stage.
Is it possible to combine this functionality? We would love to upload an sbom directly to a specific stage. If it is not possible - have you thought about adding this functionality? Or will we have to call both commands consecutively?

Further, I have tried to create a build using pgutil but I keep getting an error.
My pgutil call looks like this:
pgutil.exe builds create --build=1.0.0 --project=BuildStageTest --api-key=*** --source=Test
And the error I get is:
Server responded with BadRequest (400): Invalid project name.
If I try to create this project directly in ProGet there are no errors. Can you reproduce this problem? Or is something wrong with my call? I am working with the latest sources from github.

Thank you
Caterina

Hi @atripp,

there are no connector errors listed in the diagnostic center and the connector itself also says there were no recent errors.

But we noticed another thing:
We have a package filter for this connector because we do not want to get DevExpress packages from this feed.

If we delete this filter, the connector packages are displayed in the feed.

As you can see it is our only filter. If we add the filter again, the connector packages are gone.
Further, we noticed this behavior already in version 2024.13. In 2024.12 everything was working fine.

Thanks,
Caterina

Hi,

we have a NuGet feed which is using a connector to NuGet ( https://api.nuget.org/v3/index.json).
Having a look at all versions of a package we are able to see local packages as well as connector packages:

We noticed that starting with version 2024.13 the packages with NuGet Connector as source were no longer showing up:

The connector itself still seems to be working. Using Visual Studio I installed a version with a local source. Afterwards I manually changed the version in my .csproj file to a version with NuGet Connector source which is not visible in my feed. Visual studio was able to successfully restore this nuget package from my feed, but the package never showed up with a local source. This creates the impression that the connector is still working but may not be displayed correctly.

Further, this is only an issue with our feed using the NuGet connector. We have several feeds using a connector (e.g. https://registry.npmjs.org) but they are showing local and connector packages.

Maybe someone can help me with this.

Tanks,
Caterina

Hi @atripp

thank you very much, downloading the latest version solved my issue.

Best,
Caterina

Hi all,

I wanted to downgrade my ProGet installation from 2024 to 2023. The documentation for ProGet 2024 says: "However, if you need to rollback to ProGet 2023, you can do so without restoring the database by simply using the Inedo Hub."
But I can not see such an option in the Inedo Hub. All i can see is an upgrade to the different versions of 2024. Maybe someone can help me with this.

Tanks,
Caterina

Hi @gdivis,

thank you very much for your response!
We are really looking forward to the finalized version :)

Thanks,
Caterina

Hi @atripp,

thank you very much for clarifying this.
We are not able to update to ProGet 2024 yet, so I will just resolve this issue manually for our projects.

Thanks,
Caterina

Hi,

we came accross an issue in some of our projects which does not really make sense to us:

If I have a look at "@types/http-proxy 1.17.14" it does not show any vulnerability:

If I have a look at the vulnerability itself, it says that this vulnerability affects package "http-proxy <1.18.1":

Could it be possible that the scope of the package is not considered in vulnerability scanning, and that "@types/http-proxy 1.17.14" leads to "http-proxy 1.17.14"?

Or is there any other reason for this vulnerability to show up in our projects?

I hope you can clarify this issue for me.

Best,
Caterina

Hi,

I was having a look at pgutil for the first time, and I appreciate that you brought the functionality to consider project references as package references into it (we introduced this feature in pgscan).
Maybe I am overlooking something, but I can not find an option to set the flag. I guess it should be settable for sbom and scan?
Please let me know if I am missing something here.

Thanks,
Caterina

Hi @gdivis,

thank you for your response.
I think it is a little bit confusing in general.

Just for clarification:
We are not using any symbol packages at all (neither .symbols.nupgk nor .snupkg). We are only embedding PDBs right into our .nupgk files. But it would be nice to strip the PDBs on package download. We can achieve this on ProGet by activating the symbol server for the legacy format.

I was just confused on why I have to use "legacy" for this approach since it is also standard to embedd the PDBs instead of using symbol packages.

I guess normally it won't be necessary to enable a symbol server if you are using embedded PDBs. But we want to see the symbol information for our packages and we want to be able to strip the PDBs on download.

It seems to be more of a hack to use the legacy symbol server for this but we achieve our goals doing so. No need to file a bug for this.

Thank you,
Caterina

Hi,

I have to ask again:
https://learn.microsoft.com/en-us/dotnet/standard/library-guidance/nuget#symbol-packages

This documentation states that it is possible to use .snupkg files or to embed the symbol files in the NuGet package (like we do it).
I can't find a documentation that says embedding symbol files is deprecated/legacy.

The documentation says: "The downside of embedding symbol files is that they increase the package size by about 30% for .NET libraries compiled using SDK-style projects. If package size is a concern, you should publish symbols in a symbol package instead."
But with the setting "Strip symbol files and source code from packages downloaded from this feed" ProGet provides for the legacy format we can avoid the problem of an increased package size.

Maybe you can evaluate further why only .snupgk files are supported as a standard?

Thanks,
Caterina

Hi @atripp,

our pull request contains a fix for the assignment of the scope to the group property of the dependency scanner.
But as already mentioned in my previous post this only fixes the appearance of the packages in the overview. The URL behind the package name is still broken.
Maybe this needs to be fixed on the ProGet-side?

Cheers,
Caterina

Hi @atripp,

thank you very much for the clarification :)

Cheers,
Caterina

Hi @atripp,

ah I see the settings were messed up. "Standard" was selected. Switching to "Mixed" made the download-button appear again.

The info window of the settings states:
"We recommend following the "Standard" approach of storing NuGet Packages and Symbol Packages (.snupkg format) in the same feed".
Would it be better to work with .snupkg files instead of embedded portable PDBs?

Cheers,
Caterina

Hi,

we are using portable PDB files in combination with Source Link for debugging purposes.
Last time I checked, I was able to download either the package itself, or the package with symbols. But I can not find the option "Download with Symbols" anymore.
Has it moved? Or is it no longer possible?

I am asking because we have a problem with debugging a specific package and I would like to download it (including its symbols) to check if the package is ok.

Cheers,
Caterina

Hi @atripp,

I investigated a little bit further:
The NpmDependencyScanner does not treat the scope of a package as a 'Group'.
I added a little code for testing:

Afterwards the packages-list of my release looks like this:

But the url behind a scoped package is still not working:

Cheers,
Caterina

Hi @atripp,

thank you for the quick fix. We would have suggested just the same solution.

I have tried the version and scoped packages are now visible but I ended up with the following:

Cheers,
Caterina

Hi @atripp,

thanks for having a look at it.
Yes, we are using pgscan to create and upload our SBOMs.

Cheers,
Caterina

Hi @atripp,

I just created an angular test project with default dependencies and created the sbom.
I sent the sbom file via email to support@inedo.com.

If I upload this file to our ProGet server (using our npm-proxy-feed) I can see all packages without a scope, and the project is listed under usages. Packages with a scope are missing.

Cheers,
Caterina

Hello,

I am using pgscan to create and upload sbom files for our releases.
I noticed that our sbom files contain scoped npm packages (e.g. @angular/common, @babel/core) which is correct because we are using them.
But if I have a look at the packages of a specific release using scoped npm packages, those are not listed (Reporting & SCA -> Releases -> Specific Release -> Packages).
Vice versa, my release is not listed under "Usage & Statistic" of a used scoped npm package.

Has this behavior already been noticed?

Cheers,
Caterina