RE: Request for Creation of API for Package Auditing Before Dependency Restoration

@stevedennis

Re: Get package license with ProGetClient

the pgutils packages metadata + API end point to be used in Inedo.Proget lib is what I need :)

Do you have a timeline for the implementation ?

Best Regards,
Pedro

Re: Get package license with ProGetClient

Sorry to recover an old topic, but what I want is to be able to read the package metadata including the license (LicenseUrl, LicenseType, or LicenseExpression) assigned in ProGet, which is MIT (the license assigned to the package in ProGet).

The PackageVersionInfo (https://docs.inedo.com/docs/proget/api/packages#package-version) does not contain the license information.

Best Regards,
Pedro

Hello,

the version 25.0.9 of proget is not present in the inedo feed, and the hub is not able to find: https://proget.inedo.com/feeds/Products/InedoReleases/ProGet/versions/all

Best Regards,
Pedro

Hi @atripp ,

thank you for the update. I reverted to 2025.07 and I will wait for the next maintenance release.

@power_pille thank you too, for your findings and suggestions.

I'm having the same problem, and I can see in the database the duplicated entries.

Hello,

Is it possible to get the Package Policies with ProGetClient? I'm interested in the License Rules.

Best Regards,
Pedro

Hello,

I was trying to use ProGetClient to get the license information from a NuGet package present on a feed, but I didn't find any method to get that information.

I know I can use the NuGet CLI to get that information, but if the license is set on ProGet GUI, the returned license is not what we have on ProGet, but what is present in the package metadata.

As an example, the System.Memory 4.5.5 has a URL license, and on ProGet, it was set to MIT.

Best Regards,
Pedro

Hello @atripp ,

Thank you for your help.

We have an intermediate certificate (proxy), which I think, as you point out, can be the problem. I will clarify with our IT department. Anyway, after reading a little bit more, there is a variable to force Kaniko to use HTTP/1.1.

 variables:
    GODEBUG: "http2client=0"

After adding that, everything works :)

Thank you!

Best Regards,
Pedro

Hello,

I'm trying to publish a Docker image from Gitlab pipeline using Kaniko to Proget.

With HTTP, everything goes smoothly, but with HTTPS, an error occurs: stream error: stream ID 47; HTTP_1_1_REQUIRED; received from peer

I checked all certificates, and they are valid.

Do you have any advice on continuing the troubleshooting?

The full error:
Pushing image to xxx.lokal:8625/dev-images/image-name:latest
error pushing image: failed to push to destination xxx.lokal:8625/dev-images/image-name:latest: Head "https://xxx.lokal:8625/v2/dev-images/image-name/blobs/sha256:944cb9daf72b35ac4c2a49b5ad6d66fd45e201e5fd2a67b47cb5d4b4c838f19e": stream error: stream ID 47; HTTP_1_1_REQUIRED; received from peer

Best Regards,
Pedro

@rhessinger

I added the requested info to the opened ticket.

Best Regards,
Pedro

Hello,

while trying to access the asset or re-index, we receive the following error:

INFO : 2025-02-25 16:13:57Z - Performing verification for Asset feed 3: ToolChainAssets
INFO : 2025-02-25 16:13:57Z - Deactivating feed.
INFO : 2025-02-25 16:13:57Z - Re-activating feed.
ERROR: 2025-02-25 16:13:57Z - Unhandled exception: Microsoft.Data.SqlClient.SqlException (0x80131904): FOR XML konnte die Daten für den CreatedBy_User_Name-Knoten nicht serialisieren, weil ein in XML unzulässiges Zeichen (0x0000) enthalten ist. Um diese Daten mithilfe von FOR XML abzurufen, konvertieren Sie sie in den Datentyp "binary", "varbinary" oder "image", und verwenden Sie die BINARY BASE64-Direktive.
   at Microsoft.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
   at Microsoft.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
   at Microsoft.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
   at Microsoft.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
   at Microsoft.Data.SqlClient.SqlDataReader.TryConsumeMetaData()
   at Microsoft.Data.SqlClient.SqlDataReader.get_MetaData()
   at Microsoft.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString, Boolean isInternal, Boolean forDescribeParameterEncryption, Boolean shouldCacheForAlwaysEncrypted)
   at Microsoft.Data.SqlClient.SqlCommand.CompleteAsyncExecuteReader(Boolean isInternal, Boolean forDescribeParameterEncryption)
   at Microsoft.Data.SqlClient.SqlCommand.EndExecuteReaderInternal(IAsyncResult asyncResult)
   at Microsoft.Data.SqlClient.SqlCommand.EndExecuteReaderAsync(IAsyncResult asyncResult)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
--- End of stack trace from previous location ---
   at Inedo.Data.SqlServerDatabaseContext.SqlServerCommand.ExecuteReaderAsync(CancellationToken cancellationToken)
   at Inedo.Data.DatabaseContext.DbResult.CreateAsync(IGenericDbCommand command, DatabaseContext context, DateTimeOffset startTime, Stopwatch stopwatch)
   at Inedo.Data.DatabaseContext.ExecuteInternalAsync(String storedProcName, GenericDbParameter[] parameters, DatabaseCommandReturnType returnType)
   at Inedo.Data.SqlServerDatabaseContext.ExecuteInternalAsync(String storedProcName, GenericDbParameter[] parameters, DatabaseCommandReturnType returnType)
   at Inedo.Data.DatabaseContext.ExecuteNonQueryAsync(String storedProcName, GenericDbParameter[] parameters)
   at Inedo.Data.DatabaseContext.ExecuteScalarAsync[TResult](String storedProcName, GenericDbParameter[] parameters, Int32 outParameterIndex)
   at Inedo.ProGet.Feeds.Assets.AssetFeed.EnsureDirectoryAsync(String fullPath, Nullable`1 created, Nullable`1 modified, IEnumerable`1 userMetadata)
   at Inedo.ProGet.Feeds.Assets.AssetFeed.EnsureDirectoryAsync(String fullPath, Nullable`1 created, Nullable`1 modified, IEnumerable`1 userMetadata)
   at Inedo.ProGet.Feeds.Assets.AssetFeed.<>c__DisplayClass53_0.<<VerifyFeedAsync>g__checkDirAsync|1>d.MoveNext()
--- End of stack trace from previous location ---
   at Inedo.ProGet.Feeds.Assets.AssetFeed.<>c__DisplayClass53_0.<<VerifyFeedAsync>g__checkDirAsync|1>d.MoveNext()
--- End of stack trace from previous location ---
   at Inedo.ProGet.Feeds.Assets.AssetFeed.<>c__DisplayClass53_0.<<VerifyFeedAsync>g__checkDirAsync|1>d.MoveNext()
--- End of stack trace from previous location ---
   at Inedo.ProGet.Feeds.Assets.AssetFeed.VerifyFeedAsync(IFeedVerificationContext context, CancellationToken cancellationToken)
   at Inedo.ProGet.Executions.VerifyFeedExecution.ExecuteAsync(IManualExecutionContext context)
   at Inedo.ProGet.Executions.VerifyFeedExecution.ExecuteAsync(IManualExecutionContext context)
   at Inedo.ProGet.Service.Executions.ActiveManualExecution.ExecuteAsync()
ClientConnectionId:1cd23f85-8aa0-4309-b006-edd39297c935
Error Number:6841,State:1,Class:16

This seems to happen after the update to version 24.0.24, but unfortunately, I'm not 100% sure because we don't use this very often.

We are currently running version 24.0.27 and the problem is still there.

Best Regards,
Pedro

Hello @NanciCalo ,

thank you for the clarification.

So, as I wrote, the only way to have the expected behavior is to disable the cache from the feed/connector right ? Then the search mechanism will not search for local packages.

Best Regards

Hi @dean-houston ,

thank you for your quick response.

The missing values from the search API are not new, the owners exist since v2 at least.
I searched for a package that I don't have any local package, then the search works as expected (all versions and owners are there). Then I deleted the cached package (microsoft.playwright.nunit) and the search result contains now all versions and owners.

So, I would say that for me is a clear relation between the cache and the missing information.

I understand that can be hard, and can cause performance problems, but the version information is present when I access the package page from ProGet, so, that information should be available over search API and not only the local packages, in my opinion.

Of course, a possible solution is to disable the cache from that feed/connector. So then, no local packages will be present. Of course, with this change, I will not be able to use the full power/features of ProGet :\

Regarding the registration API, the amount of data present is huge! A lot of not necessary information and the owners entry is not there too :)

I would like to point out that, the owners were just an example of the missing properties, there are more missing. But the important ones for me are the versions.

I'm using the search API in our internal tool to verify if a new version is available, if exists on the feed, etc.
I encounter this problem, when I was setting our internal tool to only use ProGet feeds (mixed connectors), so that way, we can block internet access (nuget.org) to the server where that tool is running, and only ProGet server will have access to nuget.org.

Do you see any other way to get all the versions ?

Thank you for your help.

Hello,

I have a feed connected to nuget.org and to an internal feed.

When I do a query to this feed for a specific package, some information is missing compared to the result if I do the same query to nuget.org.

Query to internal feed result (https://internal/nuget/Development/v3/search?q=microsoft.playwright.nunit&take=1):

Query to nuget.org feed result (https://azuresearch-usnc.nuget.org/query?q=microsoft.playwright.nunit&take=1)

From what I see, the result of the internal query only returns some information about the local packages, but other important information from metadata is missing, for example, the owners.

Can you please advise what I need to do on this feed/query to be able to return the same information as present on nuget.org, since the feed is connected to there?

Thank you.

@apxltd

I don't know if using the package name will be enough... There are a lot of packages from Microsoft, that don't start with Microsoft.

Would be nice to be able to filter the licenses based on other metadata, for example, owners.

At the moment, in our company, we use TrustedSigners to allow/block the installation of some packages from external sources, as you can see below. So, maybe being able to assign licenses by owner will be a big win for us here, I don't know @sebastian thoughts about this approach.

  <trustedSigners>
    <repository name="nuget.org" serviceIndex="https://api.nuget.org/v3/index.json">
        <certificate fingerprint="0e5f38f57dc1bcc806d8494f4f90fbcedd988b46760709cbeec6f4219aa6157d" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
        <certificate fingerprint="5a2901d6ada3d18260b9c6dfe2133c95d74b9eef6ae0e5dc334c8454d1477df4" hashAlgorithm="SHA256" allowUntrustedRoot="false" />
        <owners>Microsoft;dotnetfoundation;aspnet;Microsoft Corporation;confluent</owners>
      </repository>
  </trustedSigners>

Hello @sebastian ,

yes, that is my current problem too! One of the main reasons to buy the ProGet is the nice Reporting & SCA feature! I hope that functionality will be added in the future too!

Thank you for the clear explanation and sample queries, I will use them for sure!

1222 packages are a lot! For now, we do not have many packages, but we will have them for sure :)

@atripp FYI, this is what I was looking for :)

Hello @atripp,

yes, I know that I can do that, and is really one important feature for our evaluation :)

But what I would like to have is, a list of packages without licenses, so then, I can go to all packages without the license and assign them manually.

The only possibility that I see to do that is, to go throw all available packages in the feed and check if the license info is available or not.

So, would be nice to have a list somehow, is that possible ? Can I get that information from database ?

Best Regards,
Pedro

Hello @atripp ,

yes, that was the reason :)

Is possible to filter all packages without a license defined ?

Best Regards,
Pedro

Hello Alana,

Thank you for the clarification.

The problem is, I don't see the option to assign the license type to Package as you can see in the two examples below.

First Example
Accord Package
This package has a file license as you can see here in the picture below

Because the ProGet is not able to read the file to identify the license (LGPL), the license doesn't appear in the main feed and cannot be allowed/restricted by our rules:

The same is true for some other packages, for example, Newtonsoft.Json.Schema.

So, I would like to be able to specify manually the licenses for these type os packages.

Second Example
For a package without any license information, the option to assign the license type to Package is not appearing at all

Best Regards,
Pedro

ProGet Version 2022.16 (Build 7) (Inedo Hub) - Trial version

Hello,

we are evaluating ProGet as our package manager, and license control is one of the critical features that ProGet gives us.

In the first installation, I remember seeing the possibility to specify the license that belongs to a package, when the ProGet is not able to detect.

Now, that I reinstall everything using a trial version, I don't see any possibility to specify the license of a package when ProGet is not able to detect the license. Even, when I go to the metada of the package, there is no possibility to specify the license.

I'm missing some configuration ?

Best Regards,
Pedro Magno