Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login
    1. Home
    2. sebastian...
    3. Posts

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    S Offline
    • Profile
    • Following 0
    • Followers 0
    • Topics 10
    • Posts 64
    • Groups 0

    Posts

    Recent Best Controversial
    • Vulnerabilities: finding affected consumers

      Hi there,

      I was wondering: what would be the best/recommended way to identify consuming packages/products of vulnerable packages?

      We currently use OSS Index as a vulnerability source with automatic assessments. For products currently in development, this works fine (vulnerable packages are blocked). However, what happens, when a vulnerability is discovered after a product is released? We use pgscan to add consumer infos to packages for this purpose, but there does not seem to be a very convenient way to get from the list of vulnerabilities to the affected consumers.

      We check the list of vulnerabilities on a regular basis and look for newly discovered vulnerabilities. However, there is no link from the vulnerability to the corresponding packages, never mind a list of consumers. That is why our current workflow is currently a bit cumbersome: we take the list of vulnerabilities, then open a new browser tab to search the corresponding feeds, copy & paste the names of the packages into feed's search, open the package's info package, search for the affected versions of the package and then navigate to "Usage & Statistics" to find the affected consumers. This does not seem to be very efficient. Surely, there must be a better way to do this...?

      posted in Support proget
      S
      sebastian...
    • RE: ProGet Retention Rules: option to keep package statistics

      Thanks for clarifying this! I did a test run with a package that has not been downloaded before and it seems you are correct: The total downloads per version (on the "Overview" and "All Versions" tabs) are reset to zero, but the statistics under "Usage & Statistics" seem to be unaffected.

      posted in Support
      S
      sebastian...
    • ProGet Retention Rules: option to keep package statistics

      It seems that when cached packages are deleted by a retention rule, not just the cached package content is removed from disk, but all statistics are reset as well (we have observed this on our npm proxy feed, but it might affect all feed types). Can anyone say if this affects "Consumers" infos as well?

      It would be nice to have an option to delete only the cached package content (i.e. what you get when you click "Download") but keep all the metadata/statistics (i.e. how often was that package version downloaded, what other packages/products is it consumed by, ...). Does such an option exist and we just missed it?

      posted in Support proget
      S
      sebastian...
    • RE: Permissions only work when set for specific user, not a group (LDAP)

      @kichikawa_2913 Not sure if this is related to your problem, but we had some strange problems after upgrading to ProGet 6.0.8 / 6.0.9 as well, so maybe sharing the following info might help you:

      We first encountered problems after upgrading to ProGet 6.0.8: Users could access feeds, but could not download any packages. After upgrading to version 6.0.9 this was resolved.

      We then had a problem where access became very slow until users could not access any ressources on our ProGet server anymore (even those with "Anonymous" access rights!). We deactivated the "6.1 Preview Features" and restarted everything (including the IIS). This resolved the issue. We also updated the InedoCore extension, but I don' t think this was related to the problem.

      I think the 6.1 features are still kind of buggy. We try to avoid activating them for now.

      posted in Support
      S
      sebastian...
    • 1 / 1