Topics created by dan.brown_0128

The reason for blocking application packages like this, that have vulnerable dependencies, comes down to security governance. While yes, it can be inconvenient if a package that has worked before is now blocked, that does prevent us from introducing known vulnerabilities into our environment. In the event of an emergency deployment (ex prod rollback, etc), we could apply a temporary exemption to allow the package to still deploy -- after doing a risk assessment. To use the log4j example again -- if we have an application that was built with a vulnerable version of log4j, nobody would want that package to get deployed again (while also remediating it anywhere that it was already deployed). From what I can tell the most effective way would be to block the download from ProGet - if we can leverage it's automatic blocking functions. Adding the audit into the deployment process is definitely one way to partly add this security layer but it'd require active implementation for all of our deployments, and opens more opportunity for teams to skip or work around it. Basically its better than nothing yes, but it's not the most effective security enforcement measure.

Hi @dan-brown_0128 , It doesn't look like there's been much interest in this so far (we haven't heard any othe rrequests for it), but I wanted to mention that Terraform repositories are planned and something we hope to accomplish in the coming months. Cheers, Alana

@dan-brown_0128 I understand So you'd either have to upgrade (where we fixed the code) or reassess it to Low so npm audit won't crash. I suppose you could also patch npm audit so it doesn't crash.

Hi @pbspec2_5732 , The script in the linked gist should fix the problem for you; it's not feasible/possible to try editing in the database directly due to the complexity of the model. https://gist.github.com/apxltd/351d328023c1c32852c30c335952fabb Thanks, Steve

Great to hear! Thanks for the followup

Hi @dan-brown_0128 , Yes, but only once you've enabled ProGet 2024 Vulnerability Preview features (available in ProGet 2023.29+). Thanks, Steve

Hi @dan-brown_0128 , The latest version includes a migration tool, so I would recommend using that. The URL has been changing throughout ProGet 2023, but you will be safe whitelisting cdn.inedo.com and security.inedo.com. This is only required for downloading updates, as it's an offline database that ships with ProGet. Cheers, Alana

Hi @dan-brown_0128, The only linkage between the SCA project and the NuGet package/feed (and other feed types when associated) is that the SCA project will look at all the associated NuGet packages' feeds to pull their relevant license and vulnerability data for each associated package. The then displays that information in the SCA project and creates issues if it finds problems (blocked license, blocked due to vulnerability, missing package, etc...). Thank, Rich