Topics created by sebastian...

@sebastian said in Problem with PGV-22381O7 (tree-kill1.2.2 incorrectly flagged vulnerable): There should be a special treatment for withdrawn vulnerabilities within ProGet. Maybe not deleting them (because I'm pretty sure there will be cases where I will be looking at a package and think "I swear this one had a vulnerability, but now I can't find it?" ), but maybe auto-assess a special status to it. That's what we were worried about as well, having them dissapear. Perhaps we just delete ones without assessments, and if you set a withdrawn vulnerability unassessed, it gets deleted

Hi @sebastian, I took a quick look, but its not a simple cherry-pick; this is a bug in the code that does policy analysis, and there were enough changes between ProGet 2023 and ProGet 2024 in that to make it a bit risky / time-consuming to bring over... Thanks, Alana

Hi @sebastian, That option can be ignored. We have decided to remove that option from the feature because it was only something that changed a UI color and had no real affect on the operation. It looks like we missed it in that UI. We will remove that in an upcoming release of ProGet. Thanks, Rich

Hi Alex, thanks for the feedback and the sneak peak at Proget 2024. Just a little background on how this came up: A developer actually came to me the other day and asked "Hey, can I use packages with license XYZ?", and my initial reply was "Well, just check what our Proget server says about that license" (we also have a written policy on how to handle the most common open source licenses, but it's not as frequently updated as our Proget license rules), but then I realized "Oh wait, you probably can't see whether there is an explicit rule about that license, because you don't have access to the license rule page..." I'm looking forward to those new features in Proget 2024, and I'm pretty sure they might change some of our workflows. If after testing Proget 2024 I still feel like there is a need for developers to see details about rules, even though they can't edit them, I will update this post. Have a nice weekend!

@sebastian thanks for confirming! I've added this as something to fix via PG-2441 and targeted it as 2013.14 (next Friday), but it's a lower-priority issue so it will may get "bumped" to the next or following depending on other issues

Hi @sebastian There is no plan to add user-configurable scheduled job capabilities to ProGet, and it's unlikely we would consider that since they are really hard to support. We do have our Otter product that's designed for that However, in ProGet 2022, we considered a periodic "check" for packages in a feed against the source; the use case was "is a newer patch version available" - and if so, then an issue would be raised about using an out-of-date package. We obviously didn't implement that. But it seems we could take a similar approach and then also check for unlisting/deprecation as well. This might be something that comes up in our ProGet 2024 planning. But in either case, it still involves lots and lots of web calls to check each package against the source - so I would start with a a script and see what you find out. Thanks, Alana

Hi @apxltd, Wow, that was fast... I noticed that this was apparently already implemented in 2023.5 (PG-2359). Just wanted to let you know that I tested this with 2023.6 and it works like a charm

Hi @atripp, I just tested the implementation of this with ProGet 2023.1 with the aforementioned atob npm package. The filtering works perfect. The package uses "MIT OR Apache-2.0", and as long as at least one of those two licenses is configured as allowed, the package can be downloaded. Only when both licenses are configured as "blocked", the package is also blocked. This works 100% as expected! When I check the general page of the atob package, "License Information" on the "Overview" tab displays both licenses and their corresponding blocking configurations correctly. However, when I go to a specific version, the version's "Overview" tab will always state This package has a MIT license, and may be used because of configured license filtering policies, even if MIT is actually blocked and only Apache-2.0 is allowed. This only changes when both licenses are blocked (In which case the page states Packages with the MIT license cannot be downloaded due to a global license rule). Looks like this is just optics. As I said, the blocking itself seems to work exactly as expected.

Hi @stevedennis, having a PackageLicense table would be great for two reasons: a) It would give as the ability to do some reporting on used licenses. b) There are lots of packages that use embedded license files. ProGet already has a feature where we can manually assign the corresponding license to a specific version of a package, but as far as I can tell, this is done by generating a pseudo URL for each package and assigning that URL to the corresponding license. While this does work fine as long as it is done only for a small number of packages, I'm not so sure how it affect usability (and maybe performance) when this is done on a larger scale. Having a separate table that connects packages (or package versions) to specific licenses might be a cleaner way to store and process that information. I'd have to check whether we could give you a dump of our database, but we are only just starting to use ProGet, so there isn't really too much data there yet. The fact that we are new to this is actually the reason we are so interested in reports about licenses and vulnerabilities: We are setting up workflows, etc. and at some point we want to completely block downloads of vulnerable packages or packages that use restrictive/unknown licenses, but before we activate hard filtering rules we want to get an overview on how this would affect products currently in development (so we can adapt our rules or define exceptions). At the moment we are generating data by integrating pgscan to our build pipelines and gathering download statistics for packages (and hope that we will be able to analyze that data in a useful way), so feel free to reach out in a month or so. Maybe we will have enough meaningful data to be of use for you guys by then. Cheers, Sebastian

Thanks for clarifying this! I did a test run with a package that has not been downloaded before and it seems you are correct: The total downloads per version (on the "Overview" and "All Versions" tabs) are reset to zero, but the statistics under "Usage & Statistics" seem to be unaffected.