RE: pgscan: Different results for npm dependencies

Hi @caterina,

Thank you for that explanation. That makes a lot of sense how and what is being included. I did some other research on this topic as well and it looks like dev dependencies will vary from environment to environment whether these should be included or not in the SBOM. From my research, it sounds like there is not a definitive answer on best-practice for this. Furthermore, it looks like the CycloneDX implementation of the dependencies scan has options on what to scan:

1. package-lock-only: Whether to only use the lock file, ignoring "node_modules".
   1. This means the output will be based only on the few details in the tree described by the "npm-shrinkwrap.json" or "package-lock.json", rather than the contents of "node_modules" directory.
   2. default: false
2. omit: Dependency types to omit from the installation tree.
   1. can be set multiple times
   2. choices: "dev", "optional", "peer", default: "dev" if the NODE_ENV environment variable is set to "production", otherwise empty

So as a summary, their defaults are to scan the node_modules folders but omit the dev packages when building a production package. I'm inclined to make that the default for pgscan. The pgscan library has been geared to be a lightweight alternative and when more complex scans are needed, it is suggested to use a tool like CycloneDX to generate an SBOM and upload that file to ProGet.

What are your thoughts on those defaults for pgscan? I will also discuss this internally with the team and post back what our thoughts are.

Thanks,
Rich

Hi Caterina,

No problem! This is a good catch! Please let me know what you do to resolve this. I'm thinking the node_modules scan may be more helpful in situations like this. If that package is being released (even if by accident), it makes sense that it is reflected in the SCA project. Let me know your thoughts on that as well.

Thanks,
Rich

Hi @caterina,

Just for some background. In pgscan, if the type is not specified or is set to auto and .NET is detected, it will perform a scan for .NET dependencies and for npm package dependencies and include them in the SBOM. When specifying a type that is not auto, pgscan will only scan for dependencies of that type. If you run 2 or more scans with pgscan, the results of each scan will append the new packages to the SCA project in ProGet, allowing you to append different dependency types as needed.

I know we discussed this with your team on issue #27 in the GitHub repository and determined there were no actual differences. Are you able to provide an example case where there are differences?

Just so other users can see a snippet of the conversation:

That is a fair point to make. My thought was that including the node_modules folder in the recursive search would allow us to include the child dependencies used by installed packages that were not marked as dependencies in the npm package. But in my research and testing, I have found the package-lock.json at the root of the node_modules folder includes a subset of the data in the main package-lock.json. So no extra information was added. Do your package-lock.json files under the node-modules folder have additional information the parent doesn't? Also, do your packages in that folder have package-lock.json outside of the root of that folder?

Looking at the hidden lock file documentation. The information in that file should be redundant as it is only used to improve performance, but if there is manual change in the node_modules tree by something other than npm, then the lock file is ignored (and should probably be removed anyways). I'm inclined to just exclude files from the node_modules folder as you suggest.

I can confirm your observation. There is no extra information in our package-lock.json files under the node-modules folder. Further, we do not have additional package-lock.json outside of the root folder.

We have created a low-priority issue #30 to remove the node_modules scan in the future, but it has not been prioritized based on the details in issue #27. If this truly is causing an issue we can prioritize it, but I would be interested to understand why your node_modules folder detected more dependencies.

Thanks,
Rich

Hi @w-repinski_1472,

We currently do not have any mechanism for alerting the user when an extension update is available. Our guidance around this is to check extensions for updates after a product is upgraded or when instructed by support. In this case, it was my fault for not alerting you to upgrade the extension to fix this issue. I'm sorry for that and I will make sure this does not happen again.

Also, many extensions are included in the install package. These extensions are updated automatically when the product is upgraded. So this won't be a problem with most extensions, it just so happens that the clair extension is not an included one.

Please let me know if you have any other questions for us.

Thanks,
Rich

Hi @w-repinski_1472,

You can see extension updates by navigating to Administration > Extensions and then an information block at the top of the page will display that there are extension updates. For the actual changes that were made in the 2.0.1 version of the Clair extension, you can view the 2.0.1 milestone in GitHub for our Clair extension.

Thanks,
Rich

Hi @w-repinski_1472,

Can you please ensure that your Clair extension is updated to 2.0.1 as well? Some of the fixes required changes to the Clair extension directly. The two issues that were fixed in the extensions:

1. A separate API call is needed to get the CVSS score
2. Duplicate vulnerabilities were being returned by Clair

Looking at your screenshots, it seems those issues will be fixed with an extension update.

Thanks,
Rich

Hi @w-repinski_1472,

Thanks for the additional input. To expand this a bit more:

1. Our auto-assessment uses the CVSS score from the vulnerability to determine which assessment to use automatically. The assessment type is then displayed as the label. It looks like there is a bug in both the CVSS score returned from the Clair extension as well as the stored procedure that saves that information back to ProGet. If you look at the execution log from the original ticket you submitted to us, at the end you can see an error occurred in the merge statement. Those two issues together are causing this.

2. We will look into what is returned from Clair to get this score set properly. When it comes to the vulnerability overview page, we only show the latest unassessed vulnerabilities. If you click the "view all" link at the top of that table, that table will show the assessment information and the score.

3. We have not seen Clair return this message for a layer that is not a manifest/configuration layer (sorry, I call these metadata layers which can be confusing). If there is an issue with how the layer is parsed, you will need to submit an issue to Clair for this. ProGet is only showing the information that Clair has returned to ProGet for the parsing. This is how our Clair implementation works:

   1. Send a list of image layers to Clair
   2. Clair then will pull each layer from ProGet and scan it.
   3. ProGet will then pull the result for each layer from Clair
   4. ProGet will then auto-assess and save the vulnerability back to ProGet.

4. I think this is also related to the stored procedure I was referring to earlier.

We hope to have these issues resolved soon. I hope this clarifies this for you. Please let me know if I missed anything or if you have more questions.

Thanks,
Rich

Hi @w-repinski_1472,

Thanks for all the information. It looks like this can be broken down into a couple of issues.

1. The auto-assessment is not currently working with Docker images. This looks like it may be due to a bug in the [Vulnerabilities_UpdateExternalVulnerabilities] stored procedure that is causing the auto-assessment from being saved, but if not, it may be an issue with how the vulnerability score is calculated for Clair vulnerabilities. I created a ticket, PG-2443, to track this fix and this should be addressed in the next maintenance release of ProGet.
2. The Vulnerabilities Overview page is not properly showing related Docker image layers. I have created a ticket, PG-2444, to fix this issue. This will have to wait until the next maintenance release.

As for the Clair could not process layer... messages. These are expected. When Clair scans the layers, it looks at all layers including the metadata layers. Any metadata layer or other data-based layer will show this message. These are safe to ignore as long as you see request was valid at the end of the layer process.

When you manually assess the vulnerability, do the assessments show?

Thanks,
Rich

Hi @dan-brown_0128,

The only linkage between the SCA project and the NuGet package/feed (and other feed types when associated) is that the SCA project will look at all the associated NuGet packages' feeds to pull their relevant license and vulnerability data for each associated package. The then displays that information in the SCA project and creates issues if it finds problems (blocked license, blocked due to vulnerability, missing package, etc...).

Thank,
Rich

Hi @philippe-camelio_3885,

Good catch! I created a ticket, OT-494, to track the fix. We should have this released in the next two versions of Otter (2022.12 or 2022.13).

Thanks,
Rich

Hi @dan-brown_0128,

Looking at your screenshot, the vulnerabilities associated with your SCA project come from the jQuery package you are using in ScaTestApp. When using the SCA feature in ProGet, your application dependencies are scanned using pgscan (or any other SBOM tool) and uploaded to ProGet. We can then look at each dependency, check for vulnerabilities, and associate that with the project.

Your last screenshot looks like you uploaded the ScaTestApp as a Nuget Package. In this case, only the name of the project and the version are sent to OSS Index to see if OSS Inedx has any known vulnerabilities for that package. It does not look at any dependencies, files, etc... for vulnerabilities.

Please let me know if you have any questions.

Thanks,
Rich

Hi @vishal_2561,

This sounds like it could potentially be an issue with the file becoming locked at the operating system level (like an anti-virus scan, a snapshot taken, etc...). But to be sure, could you please enable "Verbose logging" on your Deploy-Artifact operation and send us the execution again? That will give us a little more detail about the issue. If that execution is too sensitive, you could email it to us at support@inedo.com and use the subject [QA-1175] - Execution log and let us know you sent it.

Thanks,
Rich

Hello,

This is most likely related to PG-2395 (ProGet 2022.30 fix) and PG-2390 (ProGet 2023.9 fix). We added support to handle when OSS Index removes vulnerabilities from their list. Unfortunately, this has brought to light the unreliability of the data returned from OSS Index. It looks like vulnerabilities are constantly removed and re-added, which caused assessments to be cleared out on vulnerabilities. In PG-2395 and PG-2390, we have updated ProGet to only add a comment if we see that OSS Index deleted it. This way the assessment is not lost when OSS Index removes the vulnerability.

Thanks,
Rich

Hi @falam_3608,

That's great to hear. The will also be released in ProGet 2023.11. You will not need to roll anything back upon the next upgrade, InedoHub handles these automatically.

Thanks,
Rich

Hi @falam_3608,

Can you please run the following SQL query on your ProGet database and let me know if that fixes your issue? This will update the NpmFeedPackageTags_Extended view to fix a problem with tags and scoped packages.

IF OBJECT_ID('[NpmFeedPackageTags_Extended]') IS NOT NULL DROP VIEW [NpmFeedPackageTags_Extended]
GO

CREATE VIEW [NpmFeedPackageTags_Extended]
AS
	SELECT NFPT.*,
	       PNI.[PackageGroup_Name],
		   PNI.[Package_Name]
	  FROM [NpmFeedPackageTags] NFPT
	       INNER JOIN [PackageNameIds] PNI
		           ON PNI.[PackageName_Id] = NFPT.[PackageName_Id]
                  AND PNI.[PackageType_Name] = 'npm'
GO

Thanks,
Rich

Hi @falam_3608,

Thanks for letting us know what you found. I'm looking at that query now and I think i see the issue. But to confirm, is this error happening for all packages or just packages with a scope (e.g. @myscope/pacakage)?

Thanks,
Rich

Hi @scroak_6473,

Have you tried restarting your container? Also, what version of InedoCore did you attempt to install?

Thanks,
Rich

Hi @osnibjunior,

Glad to hear this is working now! I think you are right about the circular reference issue. That is most likely what caused the issue initially.

Thanks,
Rich

Hi @rosario-digiovanni_1930,

When you say that a user in the group cannot authenticate, can you describe what happens? Are the users constantly prompted to log in or do you see an error?

Thanks,
Rich

Hi @guyk,

Glad to hear it!

Thanks,
Rich

Hi @guyk,

It looks like jetstack is not requiring Helm packages to use SemVer 2 for their package versions. We have a flag to bypass packages with an invalid version or metadata, but it looks like it was hidden in ProGet v2023. I have added it back as part of ticket PG-2376, and it is set to release in ProGet 2023.7 this Friday. I can push out a pre-release version of ProGet to get the fix faster if you would like.

Thanks,
Rich

Hi @philippe-camelio_3885,

Looking at the code for v2022.10, there is nothing apparent that sticks out to why this wouldn't work. Just to verify, you do not have any other credentials (or legacy credentials) with the same name do you? The only thing that I see in the code would be due to how things are returned and sorted by the function, if there would happen to be two credentials with the same name, it may return the wrong credential which would have the wrong value set.

Thanks,
Rich

Hi @MF-60085,

It looks like there is a bug in the migration process when you select a specific feed. If you re-run it with no feeds selected, it will rerun it for all feeds that need to be migrated and that message should go away. We will fix the per-feed retry migration in ProGet 2023.6 which is due out this Friday.

Thanks,
Rich

Hi @MF-60085,

Can you please try upgrading to ProGet v2023.5? We have fixed multiple migration issues since ProGet 2023.0, including the MERGE statement error when handling NuGet packages.

Thanks,
Rich

Hi @k-gosciniak_5741,

Can you please try downgrading to a previous version of v2023 and then upgrading to the latest version again? Also, can you please verify that web site in IIS is pointing to C:\Program Files\ProGet\Service?

Thanks,
Rich

Hi @MF-60085,

You can attempt to run the migration again (it won't hurt any existing data for rollback), it may resolve the issue. What version of ProGet did you upgrade to?

Also, it may be helpful to email us the migration log to review in more detail. You can send it to support@inedo.com,use the subject [QA-1121] Migration Log, and let us know you sent it so we can keep an eye out.

Thanks,
Rich

Hi @ForgotMyUsername,

Sorry about that. Looks like the article was changed but not published. I published the updated.

Thanks,
Rich

Hi @markus-karthaus_8928,

The validity check of a certificate ion ProGet is primarily to verify the certificate itself is valid, not if it is valid for ProGet. Any self-signed or internal domain certificate will be invalid by default unless the certificate or certificate authority exists in the trusted root on your server. If it is a purchased certificate, I would check that your certificate's chain is properly installed on your server. If your certificate is a valid certificate but requires a custom certificate chain (many do), that chain will need to be installed on the server for ProGet to validate that properly. A .pfx certificate does not store the certificate chain internally in the file. The browser handles the validation slightly differently, so that is most likely why it seems to work in the browser.

When it comes to the .pem file. There are many ways to generate it, but I'm guessing the certificate chain was stored internally in the pem file, which then does not require the certificate chain to be installed on the server.

I'm speculating on the certificate chain in these cases because seeing why your certificate is not valid requires more than the screenshots you provided. I would actually need to see your certificate itself to truly validate this.

Lastly, when it comes to using a .pem file, .NET tends to be very picky about it's format. It is not as forgiving as other frameworks. If you look in the "HTTPS Binding to a Port (Advanced) (Experimental)" of our HTTPS Support on Windows documentation, we have instructions on how to create a .pem file from a .pfx. I'm not sure if that is what you followed, but that is the simplest way we have found to generate a .pem file that works with .NET.

Hope this helps!

Thanks,
Rich

Hi @h-morgenthaler_3015,

Alana was correct, the change was not merged into the 2023 release. The fix, PG-2350, will be released on Friday in ProGet 2023.4. If you need it earlier than Friday, I can push a pre-release version of ProGet 2023.4 for you. Please let me know!

Thanks,
Rich

Hi @jw,

Does this only happen with that one .snupkg or all of them? Also, could you please verify that the Symbol Server is still enabled on your feed for the "Standard (.snupkg format)" support?

Thanks,
Rich

Hi @markus-karthaus_8928,

The HTTP/S & Certificate Settings page will update the ProGet.config file that is commonly stored at C:\ProgramData\Inedo\SharedConfig\ProGet.config. As long as the inedoprogetwebsvc Window's service's account has write access to that file, it will be able to save. On fresh installs, this will typically work without requiring changes. My guess is something was changed with the executing user or the server permissions that is preventing write access to that configuration file.

You can also manually setup HTTPS by editing the ProGet.config file directly. See the "HTTPS Binding to a Port (Advanced) (Experimental)" section of our HTTPS Support on Windows documenation for the different options.

Thanks,
Rich

Hi @msimkin_1572,

Can you please navigate to your Manage Feed page and verify that JSON-LD (v3) is enabled under the Supported API?

Thanks,
Rich

Hi @msimkin_1572,

Can you please verify that you enabled the standard symbol server on your feed? Also can you please verify that the .snupkg file exists at the same location and name (minus the extension) before you run nuget push?

Thanks,
Rich

Hi @hashim-abu-gellban_3562,

Happy to hear the config fixed your issue on the clair container. In ProGet v2022 we moved the feed vulnerability source to the Reporting & SCA > Vulnerabilities > Configure Vulnerability Download Blocking page. You should be able to wire it up from there. I'll make sure to update our documentation with these changes as well.

Thanks,
Rich

Hi @hashim-abu-gellban_3562,

Can you please tell me which version of ProGet you are running? Are you able to edit your vulnerability source in ProGet?

Thanks,
Rich

Hi @informatique_1359,

Good catch! I updated the Docker-Compose docs to reflect that.

Thanks,
Rich

Hi @informatique_1359,

The error is definitely that the BuildMaster and Otter containers cannot find a server with the name of mssql. I'm surprised that ProGet works, but Docker can be confusing. This seems to be a pretty common docker issue. How I have solved this in the past is to add an alias to the network section on your SQL Server container. For example:

networks:
  databases:
    name: mssql

Because you are using the databases network on ProGet, BuildMaster, and Otter containers also, that will add a hostname of mssql to the docker network and make it accessible by name. I would also suggest adding an alias to your ProGet, BuildMaster, and Otter container configurations to prevent issues with these servers being able to communicate with each other as well.

For more information, see our Docker-Compose installation guide.

Thanks,
Rich

Hi @jwest_6990 ,

So I'm struggling to reproduce this error. For me, it just seems to work. I'm wondering if maybe a DLL got removed (possibly an antivirus false-positive) or conflict with something else installed on the host. Are you able to see a full stack trace? Do you have anything else installed on your Otter server?

Thanks,
Rich

Hi @pfeigl,

Thanks for letting us know. It looks like this is related to how HEAD requests were handled. I went and added that header to head requests also. This will be tracked in PG-2300 and will be released in ProGet 2022.25.

Thanks,
Rich

Hi @jwest_6990,

I'm sorry, somehow I missed that in your previous response. I'm going to attempt to recreate this in our test lab and see if I can get the same error. I'll let you know what I find.

Thanks,
Rich

Hi @OtterFanboy,

Good catch. I'll get the documentation updated shortly to reflect this. The older version of the Inedo Agent was only a 32-bit requirement, but we changed it to a 64-bit requirement in the newer agents. Unfortunately, I don't remember which version it changed in though.

Thanks,
Rich

Hi @jwest_6990,

Are you running Otter on Windows or on Linux (using Docker)?

Thanks,
Rich

Hi @testintergraph_2317,

It looks like there was a hiccup in the release of the updated InedoCore extension. You should now see the ability to upgrade to the InedoCore v2.2.1 version. That includes AD v4. Sorry about the confusion there.

Thanks,
Rich

Hi @arozanski_1087,

I just wanted to let you know that we just released a new version of pgscan, 1.4.2. Going forward it will automatically scan npm packages anytime it is scanning for NuGet packages using a .NET solution or project, there will not be any new parameter needed to enable the search.

We are still working on adding yarn support, but that one will take us a bit of time to add. We will update you when that one is ready to be used.

Thanks,
Rich

Hi @philipp-jenni_7195,

It looks like there was a regression applied to that fix. We have fixed it as part of PG-2288, due in a couple of weeks in ProGet v2022.22. If you would like, I can set up a CI release for you that you can install now using Inedo Hub.

Thanks,
Rich

Hi @pfeigl,

Always happy to help! The new release is scheduled to be available on Friday. After upgrading to it, please inform us if the issue you were experiencing has been resolved or not.

Thanks,
Rich

Hi @pfeigl,

I did some investigation and it does look to be related to our platform upgrade. We will have a fix ready to be released in ProGet v2022.20.

Thanks,
Rich

Hi @rosario-digiovanni_1930,

I was able to reproduce the issue. Please give me a bit of time to dig into this further to determine what is causing it.

Thanks,
Rich

Hi @philipp-jenni_7195,

Thank you very much for the steps to recreate this issue. I was finally able to recreate it and it looks to be easier to recreate on Linux than on Windows. We have created a ticket, PG-2274, to track the fix. We should be able to get this into today's release!

Thanks,
Rich

Hi @philipp-jenni_7195,

I'm sorry, but I'm really struggling to recreate this.

The test I setup was:

• Docker run ProGet 2022.18
  • I also tested on ProGet 2022.15, but this one was on Windows. Functionally they do not differ in upack feed code.
• Create a new upack feed
  • No connectors or other packages
• upack push database-schema-7.60.0.upack to the new feed
• upack push database-schema-7.61.0.upack to the new feed

That all worked. I then proceeded to do different combinations like push 7.61, then 7.60. The only time I was able to get the "Feeds_OverwritePackage" error was when the package already existed in the feed and I tried to push it again (which works as designed).

Do you have anything sitting in front of your Docker image (like a reverse proxy or HTTP request forwarder) that may attempt to resend a request if it takes too long? The only thing that makes sense to me would be the push request is being duplicated and the first succeeds and the second errors because the package already exists.

Thanks,
Rich