Navigation

    Inedo Community Forums

    Forums

    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. sebastian...
    3. Topics
    S
    • Profile
    • Following
    • Followers
    • Topics
    • Posts
    • Best
    • Groups

    Topics created by sebastian...

    • S

      Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable)
      Support • • sebastian...  

      4
      0
      Votes
      4
      Posts
      15
      Views

      atripp

      @sebastian said in Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable): There should be a special treatment for withdrawn vulnerabilities within ProGet. Maybe not deleting them (because I'm pretty sure there will be cases where I will be looking at a package and think "I swear this one had a vulnerability, but now I can't find it?" ), but maybe auto-assess a special status to it. That's what we were worried about as well, having them dissapear. Perhaps we just delete ones without assessments, and if you set a withdrawn vulnerability unassessed, it gets deleted
    • S

      License expression detection not working (for npm packages) in ProGet 2023.34?
      Support • • sebastian...  

      6
      0
      Votes
      6
      Posts
      26
      Views

      atripp

      Hi @sebastian, I took a quick look, but its not a simple cherry-pick; this is a bug in the code that does policy analysis, and there were enough changes between ProGet 2023 and ProGet 2024 in that to make it a bit risky / time-consuming to bring over... Thanks, Alana
    • S

      Proget: Documentation of 2024 Projects Preview feature
      Support • • sebastian...  

      4
      0
      Votes
      4
      Posts
      17
      Views

      rhessinger

      Hi @sebastian, That option can be ignored. We have decided to remove that option from the feature because it was only something that changed a UI color and had no real affect on the operation. It looks like we missed it in that UI. We will remove that in an upcoming release of ProGet. Thanks, Rich
    • S

      Proget feature request: indicate license rules in all views.
      Support • • sebastian...  

      3
      0
      Votes
      3
      Posts
      13
      Views

      S

      Hi Alex, thanks for the feedback and the sneak peak at Proget 2024. Just a little background on how this came up: A developer actually came to me the other day and asked "Hey, can I use packages with license XYZ?", and my initial reply was "Well, just check what our Proget server says about that license" (we also have a written policy on how to handle the most common open source licenses, but it's not as frequently updated as our Proget license rules), but then I realized "Oh wait, you probably can't see whether there is an explicit rule about that license, because you don't have access to the license rule page..." I'm looking forward to those new features in Proget 2024, and I'm pretty sure they might change some of our workflows. If after testing Proget 2024 I still feel like there is a need for developers to see details about rules, even though they can't edit them, I will update this post. Have a nice weekend!
    • S

      PGVC: Blocked packages cannot be unblocked
      Support • proget pgvc • • sebastian...  

      8
      0
      Votes
      8
      Posts
      29
      Views

      atripp

      @sebastian thanks for confirming! I've added this as something to fix via PG-2441 and targeted it as 2013.14 (next Friday), but it's a lower-priority issue so it will may get "bumped" to the next or following depending on other issues
    • S

      ProGet: Handling of deprecated NuGet packages
      Support • proget • • sebastian...  

      8
      0
      Votes
      8
      Posts
      47
      Views

      atripp

      Hi @sebastian There is no plan to add user-configurable scheduled job capabilities to ProGet, and it's unlikely we would consider that since they are really hard to support. We do have our Otter product that's designed for that However, in ProGet 2022, we considered a periodic "check" for packages in a feed against the source; the use case was "is a newer patch version available" - and if so, then an issue would be raised about using an out-of-date package. We obviously didn't implement that. But it seems we could take a similar approach and then also check for unlisting/deprecation as well. This might be something that comes up in our ProGet 2024 planning. But in either case, it still involves lots and lots of web calls to check each package against the source - so I would start with a a script and see what you find out. Thanks, Alana
    • S

      Questions about the new ProGet Vulnerability Central (PGVC)
      Support • • sebastian...  

      18
      0
      Votes
      18
      Posts
      67
      Views

      S

      Hi @apxltd, Wow, that was fast... I noticed that this was apparently already implemented in 2023.5 (PG-2359). Just wanted to let you know that I tested this with 2023.6 and it works like a charm
    • S

      SPDX license expressions
      Support • proget • • sebastian...  

      9
      0
      Votes
      9
      Posts
      33
      Views

      S

      Hi @atripp, I just tested the implementation of this with ProGet 2023.1 with the aforementioned atob npm package. The filtering works perfect. The package uses "MIT OR Apache-2.0", and as long as at least one of those two licenses is configured as allowed, the package can be downloaded. Only when both licenses are configured as "blocked", the package is also blocked. This works 100% as expected! When I check the general page of the atob package, "License Information" on the "Overview" tab displays both licenses and their corresponding blocking configurations correctly. However, when I go to a specific version, the version's "Overview" tab will always state This package has a MIT license, and may be used because of configured license filtering policies, even if MIT is actually blocked and only Apache-2.0 is allowed. This only changes when both licenses are blocked (In which case the page states Packages with the MIT license cannot be downloaded due to a global license rule). Looks like this is just optics. As I said, the blocking itself seems to work exactly as expected.
    • S

      Vulnerabilities: finding affected consumers
      Support • proget • • sebastian...  

      9
      0
      Votes
      9
      Posts
      37
      Views

      S

      Hi @stevedennis, having a PackageLicense table would be great for two reasons: a) It would give as the ability to do some reporting on used licenses. b) There are lots of packages that use embedded license files. ProGet already has a feature where we can manually assign the corresponding license to a specific version of a package, but as far as I can tell, this is done by generating a pseudo URL for each package and assigning that URL to the corresponding license. While this does work fine as long as it is done only for a small number of packages, I'm not so sure how it affect usability (and maybe performance) when this is done on a larger scale. Having a separate table that connects packages (or package versions) to specific licenses might be a cleaner way to store and process that information. I'd have to check whether we could give you a dump of our database, but we are only just starting to use ProGet, so there isn't really too much data there yet. The fact that we are new to this is actually the reason we are so interested in reports about licenses and vulnerabilities: We are setting up workflows, etc. and at some point we want to completely block downloads of vulnerable packages or packages that use restrictive/unknown licenses, but before we activate hard filtering rules we want to get an overview on how this would affect products currently in development (so we can adapt our rules or define exceptions). At the moment we are generating data by integrating pgscan to our build pipelines and gathering download statistics for packages (and hope that we will be able to analyze that data in a useful way), so feel free to reach out in a month or so. Maybe we will have enough meaningful data to be of use for you guys by then. Cheers, Sebastian
    • S

      ProGet Retention Rules: option to keep package statistics
      Support • proget • • sebastian...  

      3
      0
      Votes
      3
      Posts
      8
      Views

      S

      Thanks for clarifying this! I did a test run with a package that has not been downloaded before and it seems you are correct: The total downloads per version (on the "Overview" and "All Versions" tabs) are reset to zero, but the statistics under "Usage & Statistics" seem to be unaffected.
    • 1 / 1