Thanks for the additional information. We were able to recreate it and have a fix pending, PG-2639, that will be released this Friday in ProGet 2024.2.
Posts made by rhessinger
-
RE: Conda Feed to SMB Share
-
RE: 3rd Party Repository Feed error
Thank you for all the extra detail. I was able to recreate this issue and fix it as part of, PG-2628. This fixed will be released this Friday in ProGet 2023.34 and 2024.1.
Thanks,
Rich -
RE: Errors in PackageAnalyzer logs
Hi @v-makkenze_6348,
As @atripp stated in your other post, this is due to bad data. For that package exact;y, it was added with a NuGet quirks version that is 4 parts (most likely specified),
17.2.65.0
, which is getting handled correctly to a 3 part version due to NuGet's API specs. We are still working out how best to handle these cases.Thanks,
Rich -
RE: Downgrade From 2024 - Assets Page - Unable to cast object of type 'System.Int32' to type 'System.Int64'
Hi @arlymac_7956,
What version of ProGet did you have installed prior to upgrading to ProGet 2024 before you downgraded? I don't see any differences in the table schemas between ProGet 2023 and 2024, but I want to make sure I'm comparing to the correct schema.
Thanks,
Rich -
RE: NuGet no longer works after upgrading to 2024
Hi @jw,
Yes we believe this is the same data issue. Our initial thoughts were that this only affected analysis, but it seems to be affecting the NuGet feed itself as well.
Thanks,
Rich -
RE: 3rd Party Repository Feed error
I have a feeling that there was a problem connecting to the third-party Maven index. Which third-party Maven index where you trying to connect to? Also, can you try creating a blank Maven feed and then add the connector to it and see if you can pull artifacts from it? This would help to point us in a direction of where the issue may exist.
Thanks,
Rich -
RE: 3rd Party Repository Feed error
This is not expected behavior. Can you please tell me which version of ProGet you are using?
Thanks,
Rich -
RE: Proget: Documentation of 2024 Projects Preview feature
Hi @sebastian,
That option can be ignored. We have decided to remove that option from the feature because it was only something that changed a UI color and had no real affect on the operation. It looks like we missed it in that UI. We will remove that in an upcoming release of ProGet.
Thanks,
Rich -
RE: Proget: Documentation of 2024 Projects Preview feature
Hi @sebastian,
Thanks for asking this. We will definitely explain this better in our docs prior to the launch of ProGet 2024. Basically, the concept of build stages was a way to track your project through it's build lifecycle. Since the scan needs to be performed against the source code, a build is typically added at you CI server's build stage. Then the version will be promoted between stages until it is released. During this process, there are typically multiple CI builds that are created and then rejected before going to release. ProGet's build stages give you the ability to automatically handle archiving old versions and determine at what stage an automated build analysis should create issues.
With all that said, you can customize these build stages by navigating to Reporting & SCA -> Projects and then hover over the multi-button in the upper right corner and select "Build Stages". From there, you can modify the settings for how builds are handled in each stage (scan for issues, number of active builds to keep, etc...) and create new build stages to match your CI/CD process.
ProGet includes 4 stages out of the box and they are configured to do the following by default:
- Build: Archive other builds except the latest 10.
- Integration: Archive other builds except the latest 3.
- Test: Archive other builds except the latest 3 and create issues for noncompliant packages.
- Production: Archive other builds except the latest 1 and create issues for noncompliant packages.
I hope this helps! Please let us know if you have any other questions.
Thanks,
Rich -
RE: ProGet SCA 2024 Preview Feedback - Error when trying to bulk delete projects
Hi @jw,
Thanks for letting us know about these. To answer your questions:
- This is an issue with the order of how we delete the projects and their child items. If you delete all the builds first, then the project can be deleted without issue. We will fix this as part of PG-2596 that will be released tomorrow in ProGet 2023.31.
- This is an oversight on our part. We will get delete buttons added to the Edit Project Settings and Edit Build Settings page also as part of PG-2596.
Thanks,
Rich -
RE: ProGet SCA - Support for CycloneDX Spec Version 1.5
Hello @jw,
We are currently in the process of testing the change to include the updated CycloneDX Specs. It is expected to be released in ProGet 2023.31.
Thanks,
Rich -
RE: [BM] Preventing Build from deploying into further stage based on variable
Hi @andy222,
To expand on this further. If you are looking for it to just skip the stage based on that variable and proceed to the next stage, then I would also suggests @philippe-camelio_3885 method of checking in OtterScript using the
$PipelinStageName
. If you are looking to block going further in the pipeline and stopping at a specific step, I would suggest using the Pipeline Stage Requirements and setting a Require Variable automated check. That can block deployment to a stage unless a variable is set to a specific value.Thanks,
Rich -
RE: Incorrect packages count in Feeds page
Hello @daniel-scati,
Sorry for the delay in our response. We have recreated the issue and have a fix, PG-2582, ready and will be released in ProGet 2023.30.
Thanks,
Rich -
RE: ProGet feeds in different IIS App Pools
Hi @forbzie22_0253,
There is no way to split out each feed to have different app pools. The only way to accomplish that is to have multiple instances of ProGet where each instance has a different feed. That would require a separate license for each instance.
Thanks,
Rich -
RE: Multiple Proget instances and SQL DB
Hi @forbzie22_0253,
Since these will be free editions of ProGet, each instance will need to have its own database. The only way to share a database would be to purchase an Enterprise edition license and configure ProGet to use High Availability.
Thanks,
Rich -
RE: Docker::Build-Image on Linux server
Hi @PhilipWhite,
The Repository Name field is actually the name of a Docker Repository Connection, not the Repository itself. To add a Docker Repository Connection:
- Navigate to your application -> Settings -> All Settings
- Click "add" to the right of the Connections heading
- Select Docker Repository
- Select the repository type and fill in the fields (note: if this is not a ProGet Docker Registry, use Generic Docker Repository and then your registry and name will go in the Repository Name field here)
Then take that resource name and add use that in the "
Repository name
" field in theDocker::Buid-Image
operation. Also if you only have one Docker Repository Connection, you can leave it blank and it will use the variable$DockerRepository
by default, which is automatically set to your Docker Repository Connection.Hope this helps!
Thanks,
Rich -
RE: Possible to set Preload Enabled to true in IIS:EnSureSite?
Hi @Justinvolved,
The easiest way to setup a test environment for this would be to setup an instance of Otter (free edition is fine). Then once you have checked out https://github.com/Inedo/inedox-windows and made your changes, you can package the extension using the Inedo Extension Packager. This is available as a .NET tool. You can then navigate to the extensions page and upload the extension file to Otter. You may need to modify the
AssemblyVersion
inAssemblyInfo.cs
to a version newer than the installed version to get it to pick it up as the lastest. Alternatively, you can copy that extension file to theExtensions.ExtensionsPath
and restart Otter to have it pick up as well.The command I typically run to package the extension is:
inedoxpack pack InedoExtension Windows.upack -o --build=Debug
I run that command from the the solution file's directory.
Hope this helps! If you have any questions, please let me know.
Thanks,
Rich -
RE: Error when checking for Az powershell module
Hi @Justinvolved,
Would you be able to send us the output of
Get-Module -ListAvailable
on PowerShell 5.1? I would like to take a look and see if there is anything causing a parsing error in Otter. If it is not safe to post here, you can email it to support@inedo.com and prefix the subject with[QA-1405]
and then comment back here when you have sent it.Thanks,
Rich -
RE: Scoped npm packages not listed in releases
Hi @sebastian & @caterina,
I'm sorry, I realized that after I sent the last response. I have already fixed it as part of ticket PG-2563 in ProGet 2023.28. That version is due out this Friday, but I can provide you with a pre-release version early if you want to fix this issue immediately.
Thanks,
Rich -
RE: Scoped npm packages not listed in releases
Hi @caterina,
I think I see what the issue is here. When it comes to the package purl for npm packages, the scope needs to be URI encoded. When it goes to parse the purl for scoped packages, it reads the
@
in the scope as the character indicating a version and starts then fails to parse it as an invalid URI. I'll get a fix in pgscan to handle this shortly and reply back when I have an updated version.Thanks,
Rich -
RE: Unable to save changes to Role Configuration Script in Otter 2023 and 2023.1 (Build 3)
Hi @MY_9476,
We just released 2023.3 on 12/1/2023. Can you please update to 2023.3 and verify that it fixed your issue?
Thanks,
Rich -
RE: [BM] Bug with variables get from a list at build level
Thanks for finding this and providing a work around. I have added a ticket, BM-3915, to fix this issue. It should be released within the next couple of versions of BuildMaster.
Thanks,
Rich -
RE: BuildMaster 2023.4 Proxy Support for Extension Updates
Hi @paul_6112 ,
Thanks for letting us know that this is still an issue. I created a ticket, BM-3914, to track this fix.
Thanks,
Rich -
RE: BuildMaster 2023.4 Unable to Create Application from Template
Hi @paul_6112 ,
Thanks for letting us know that this is still an issue. I created a ticket, BM-3913, to track this fix.
Thanks,
Rich -
RE: KeyNotFoundException when using pgscan
Hi @v-makkenze_6348,
This fix has been released in pgscan 1.5.7. Please let us know if you have any questions!
Thanks,
Rich -
RE: [BM] How to build a docker container from gitlab using env file
Based on that script, as long as your
Dockerfile
is at the root of the $WorkingDirectory (From
defaults to$WorkingDirectory
) and themyapp.env
is specified within theDockerfile
, that script should work. Can you please tell me what you are seeing while running Build-Image?Thanks,
Rich -
RE: BuildMaster v2023 PSCall
Hi @paul_6112,
What version of the Scripting extension do you have installed? This bug should be fixed in v2.4.0 of the Scripting extension. If it is not currently version 2.4.0, can you try updating that extension and see if that fixes the issue?
Thanks,
Rich -
RE: Otter v2023.1 Reference Documentation HTTP 500
Hi @paul_6112,
Thanks for sending this over to us. I have resolved the issue in OT-505 and it will be released this Friday in Otter 2023.2.
Thanks,
Rich -
RE: Otter v2023.1 Change Password
Hi @paul_6112,
Thanks for sending this over. I found the issue and have resolved this as part of OT-504. It will be released this Friday in Otter 2023.2.
Thanks,
Rich -
RE: BuildMaster 2023.4 Proxy Support for Extension Updates
Hi @paul_6112,
Thanks for verifying this for us. We were able to find an issue in our code. This has been fixed in BM-3909 and will be released this Friday in BuildMaster 2023.5.
Thanks,
Rich -
RE: Unable to save changes to Role Configuration Script in Otter 2023 and 2023.1 (Build 3)
Hi @MY_9476,
Thanks for bringing this to our attention. I added a ticket, OT-502, to fix the issue. This should be released next week in Otter 2023.2.
Thanks,
Rich -
RE: npm GitHub Packages(https://npm.pkg.github.com) as Connector Feed
Hi @devopsdude3113,
What scopes do you have configured for your personal access token? When I tested this, I created a personal access token and added only the
read:packages
scope.Also, do you see any error in your ProGet diagnostic center?
Thanks,
Rich -
RE: npm GitHub Packages(https://npm.pkg.github.com) as Connector Feed
Hi @devopsdude3113,
When you search for the package by exact name in ProGet (ex: @owner/npm-package), are you able to see it?
Thanks,
Rich -
RE: npm GitHub Packages(https://npm.pkg.github.com) as Connector Feed
Hi @devopsdude3113,
When you are searching for your package, are you searching using
@owner/package-name
? GitHub only supports scoped packages, so the exact name requires the scope too. Also, if you have already pulled the package directly from GitHub, you will need to clear your local npm cache before it will attempt to pull from ProGet. Also, please verify only your ProGet repository is configured for your @owner scope in your npmrc file.Thanks,
Rich -
RE: npm GitHub Packages(https://npm.pkg.github.com) as Connector Feed
Hi @devopsdude3113,
The package count is what we check for the connector health, so it will always show 0 connector packages in the GitHub connector, and the search API is what allows you to partial search for packages in the remote repository. Once a package has been pulled locally to ProGet or has been cached in ProGet, then those packages will show on your list packages page and will allow partial name searching against them. When they have not been cached or pulled to ProGet, those only exist remotely in the GitHub repository and require that you type the exact name to see them in ProGet.
Thanks,
Rich -
RE: npm GitHub Packages(https://npm.pkg.github.com) as Connector Feed
Hi @devopsdude3113 ,
GitHub npm connectors work a bit differently than other connectors. GitHub does not implement the full npm API specification so certain things like package count and the search API are not working. To get around this in ProGet 2023, you will need to make sure that you have updated to at least ProGet 2023.20 and use the following settings:
- On the General tab
- For the URL use
https://npm.pkg.github.com/<OWNER>
- For Authentication
- Use Basic auth
- For the username, use your GitHub user name
- For the password, use your and then use a Personal Access Token (classic)
- For the URL use
- On the Advanced tab
- Check "Exact package name match only"
- Check "Do not perform health check"
That should allow you to search for the package by full name and allow your npm applications to pull the packages properly. Please note that partial name searches will not return any values from your GitHub connector since the search API has not been implemented.
Please let me know if these steps fix your issue or if you have any other questions. I have also added a section to our docs to include setting up a GitHub connector as well. You can see this in the Troubleshooting section of our npm docs.
Thanks,
Rich - On the General tab
-
RE: [OT] Upgrade 2022 to 2023 - SSH broken
I think I have fixed the issue. Can you try upgrading your image to Otter 23.0.1-ci.2? It looks like we had a version mismatch in our base image.
Thanks,
Rich -
RE: API method to get a specific object by name
Hi @jimbobmcgee,
I just wanted to let you know that we just released Otter 2023 and it includes the name filter on the List action type on the Infrastructure API.
Thanks,
Rich -
RE: Otter - has anything changed with new versions?
Hi @Jon,
Looks like this was a result of recent change. I have fixed this in OT-499 and will be released in Otter 2022.15. If this is an immediate requirement, I can create a prerelease version of Otter you can install. Please let me know if you are interested.
Thanks,
Rich -
RE: pgscan: Different results for npm dependencies
Hi @caterina,
Here is the final solution:
- When using the
auto
type and scanning for NuGet and npm dependencies:- The default configuration should be to omit dev dependencies and scan the node_modules directory
- When using the
npm
type and a package-lock.json file is specified- The default is to only scan the specified package-lock.json file and omit dev dependencies
- When using the
npm
type and a package-lock.json file is not specified- The default configuration should be to omit dev dependencies and scan the node_modules directory
- Each of these options would have an optional parameter to include the dev dependencies (
--include-dev
) - Each of these options would have an optional parameter to ignore pacakge-lock.json files found under node_modules (
--package-lock-only
)
This has been implemented in pgscan 1.5.6 which I will be pushing shortly, and these options will be added to BuildMaster 2023.2.
Thanks,
Rich - When using the
-
RE: pgscan: Different results for npm dependencies
Hi @caterina,
That is correct, those two files will be merged. The page you are looking at is just a history of each SBOM that has been uploaded to it. When you export the SBOM for that project, it generates an SBOM based on all the packages included in that project release and combines them in one file. Also if you remove a package dependency on the packages tab (like an npm dev dependency), those will not be included in the generated SBOM.
Thanks,
Rich -
RE: pgscan: Different results for npm dependencies
Hi @caterina,
I see the problem now, the package-lock.json of the dev dependency contains non-dev dependencies which would cause the extra dependencies. I may have a solution for this, but I will need to run a couple of tests.
I still think the two scans in this case would be best. When you run pgscan those two times (one for npm and one for NuGet), configure the scan to push the results of each scan to the same SCA project in ProGet. This will append the new dependencies to the project. This way, when you export the SBOM from ProGet, only one SBOM will be generated and exported including all the related dependencies (npm and NuGet).
Thanks,
Rich -
RE: pgscan: Different results for npm dependencies
Hi @caterina,
I was able to chat with the team and here was our consensus:
- When using the
auto
type and scanning for NuGet and npm dependencies:- The default configuration should be to omit dev dependencies and scan the node_modules directory
- When using the
npm
type and a package-lock.json file is specified- The default is to only scan the specified package-lock.json file and omit dev dependencies
- When using the
npm
type and a package-lock.json file is not specified- The default configuration should be to omit dev dependencies and scan the node_modules directory
- Each of these options would have an optional parameter to include the dev dependencies (
--include-dev
)
The thought is that this lines up with the other SBOM scanners' defaults as well as handles any hidden dependencies in the node_modules folder. This also handles the case of scanning only package-lock.json since you can explicitly specify it.
How does this sound to you?
Thanks,
Rich - When using the
-
RE: pgscan: Different results for npm dependencies
Hi @caterina,
Thank you for that explanation. That makes a lot of sense how and what is being included. I did some other research on this topic as well and it looks like dev dependencies will vary from environment to environment whether these should be included or not in the SBOM. From my research, it sounds like there is not a definitive answer on best-practice for this. Furthermore, it looks like the CycloneDX implementation of the dependencies scan has options on what to scan:
package-lock-only
: Whether to only use the lock file, ignoring "node_modules".- This means the output will be based only on the few details in the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
- default: false
omit
: Dependency types to omit from the installation tree.- can be set multiple times
- choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty
So as a summary, their defaults are to scan the node_modules folders but omit the dev packages when building a production package. I'm inclined to make that the default for pgscan. The pgscan library has been geared to be a lightweight alternative and when more complex scans are needed, it is suggested to use a tool like CycloneDX to generate an SBOM and upload that file to ProGet.
What are your thoughts on those defaults for pgscan? I will also discuss this internally with the team and post back what our thoughts are.
Thanks,
Rich -
RE: pgscan: Different results for npm dependencies
Hi Caterina,
No problem! This is a good catch! Please let me know what you do to resolve this. I'm thinking the node_modules scan may be more helpful in situations like this. If that package is being released (even if by accident), it makes sense that it is reflected in the SCA project. Let me know your thoughts on that as well.
Thanks,
Rich -
RE: pgscan: Different results for npm dependencies
Hi @caterina,
Just for some background. In pgscan, if the type is not specified or is set to auto and .NET is detected, it will perform a scan for .NET dependencies and for npm package dependencies and include them in the SBOM. When specifying a type that is not auto, pgscan will only scan for dependencies of that type. If you run 2 or more scans with pgscan, the results of each scan will append the new packages to the SCA project in ProGet, allowing you to append different dependency types as needed.
I know we discussed this with your team on issue #27 in the GitHub repository and determined there were no actual differences. Are you able to provide an example case where there are differences?
Just so other users can see a snippet of the conversation:
That is a fair point to make. My thought was that including the node_modules folder in the recursive search would allow us to include the child dependencies used by installed packages that were not marked as dependencies in the npm package. But in my research and testing, I have found the package-lock.json at the root of the node_modules folder includes a subset of the data in the main package-lock.json. So no extra information was added. Do your package-lock.json files under the node-modules folder have additional information the parent doesn't? Also, do your packages in that folder have package-lock.json outside of the root of that folder?
Looking at the hidden lock file documentation. The information in that file should be redundant as it is only used to improve performance, but if there is manual change in the node_modules tree by something other than npm, then the lock file is ignored (and should probably be removed anyways). I'm inclined to just exclude files from the node_modules folder as you suggest.
I can confirm your observation. There is no extra information in our package-lock.json files under the node-modules folder. Further, we do not have additional package-lock.json outside of the root folder.
We have created a low-priority issue #30 to remove the node_modules scan in the future, but it has not been prioritized based on the details in issue #27. If this truly is causing an issue we can prioritize it, but I would be interested to understand why your node_modules folder detected more dependencies.
Thanks,
Rich -
RE: Problem with Vulnerabilities in docker with Clair
Hi @w-repinski_1472,
We currently do not have any mechanism for alerting the user when an extension update is available. Our guidance around this is to check extensions for updates after a product is upgraded or when instructed by support. In this case, it was my fault for not alerting you to upgrade the extension to fix this issue. I'm sorry for that and I will make sure this does not happen again.
Also, many extensions are included in the install package. These extensions are updated automatically when the product is upgraded. So this won't be a problem with most extensions, it just so happens that the clair extension is not an included one.
Please let me know if you have any other questions for us.
Thanks,
Rich