RE: KeyNotFoundException when using pgscan

@dean-houston

This was a package that came from a local workspace, skipping seems the right solution as you can never check these packages for vulnerabilities.

Hi,

We started using Proget and pgscan for our frontend code but get a KeyNotFoundException exception in pgscan\Inedo.DependencyScan\NpmDependencyScanner.cs line 81

string version = npmDependencyPackage.Value.GetProperty("version").GetString();

This is the bit of json from the lock-file it fails on and as you can see there is no version attribute.

"node_modules/@vicrea-neuron/eslint-plugin": {
  "resolved": "packages/eslint-plugin",
  "link": true
},

With kind regards,

Valentijn

Thanks, I updated and feed cleanup is back to seconds instead of hours

In todays log there is some more information:

Unhandled exception: Microsoft.Data.SqlClient.SqlException (0x80131904): There is insufficient system memory in resource pool 'internal' to run this query.
   at Microsoft.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
   at Microsoft.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
   at Microsoft.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)
   at Microsoft.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)
   at Microsoft.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)
   at Microsoft.Data.SqlClient.SqlDataReader.Read()
   at Inedo.Data.StrongDataReader.<Read>g__read|11_1[TRow](<>c__DisplayClass11_0`1& )
   at Inedo.Data.StrongDataReader.Read[TRow](IDbDataResult dbResult)+MoveNext()
   at Inedo.Data.StrongDataReader.Read[TRow](Func`1 getReader, Boolean disposeReader)+MoveNext()
   at Inedo.ProGet.Feeds.StandardPackageFeed`3.<>c__DisplayClass58_0.<<Inedo-ProGet-Feeds-IRetentionFeed<Inedo-ProGet-Feeds-StandardRetentionPackage<TVersion>>-EnumerateItemsAsync>g__iterateOneToOne|1>d.MoveNext()
   at Inedo.EnumerableExtensions.AsyncIterator`1.Enumerator.MoveNextAsync()
   at Inedo.ProGet.Feeds.IRetentionFeed`1.Inedo.ProGet.Feeds.IRetentionFeed.EnumerateItemsAsync(Boolean cachedOnly, Boolean prereleaseOnly, CancellationToken cancellationToken)+MoveNext()
   at Inedo.ProGet.Feeds.IRetentionFeed`1.Inedo.ProGet.Feeds.IRetentionFeed.EnumerateItemsAsync(Boolean cachedOnly, Boolean prereleaseOnly, CancellationToken cancellationToken)+MoveNext()
   at Inedo.ProGet.Feeds.IRetentionFeed`1.Inedo.ProGet.Feeds.IRetentionFeed.EnumerateItemsAsync(Boolean cachedOnly, Boolean prereleaseOnly, CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()
   at Inedo.ProGet.Feeds.RetentionRunner.RunRetentionRuleAsync(FeedRetentionRuleConfiguration rule, Int32 sequenceNumber, Boolean retentionDryRun, CancellationToken cancellationToken)
   at Inedo.ProGet.Feeds.RetentionRunner.RunRetentionRuleAsync(FeedRetentionRuleConfiguration rule, Int32 sequenceNumber, Boolean retentionDryRun, CancellationToken cancellationToken)
   at Inedo.ProGet.Feeds.RetentionRunner.PerformRetentionAsync(Boolean dryRun, CancellationToken cancellationToken)
   at Inedo.ProGet.ScheduledTasks.Feed.FeedCleanupScheduledTask.ExecuteAsync(ScheduledTaskContext context)
   at Inedo.ProGet.Service.Executions.ActiveScheduledTaskExecution.ExecuteAsync()
ClientConnectionId:9f725e0d-f135-46ae-8b92-fb58605389c0
Error Number:701,State:123,Class:17

Hi

I upgrade whenever the website gives me a warning so the previous version was probably 2023.14 (can't find the previous version in the logfile)

It looks like the problem is with the feed cleanup as that takes a long time and gives an error.

Vicrea FeedCleanup 8/24/2023 1:43 AM - Normal Executing
Vicrea FeedCleanup 8/23/2023 1:58 AM 6h 32min Error Completed
Vicrea FeedCleanup 8/22/2023 1:49 AM 7h 29min Error Completed

The log doesn't say anything usefull:

DEBUG: 2023-08-22 23:58:38Z - Beginning cleanup for Vicrea (NuGet) feed.
INFO : 2023-08-22 23:58:38Z - Starting feed retention check...
DEBUG: 2023-08-22 23:58:38Z - Checking for feed retention rules...
DEBUG: 2023-08-22 23:58:38Z - Feed has 1 retention rule.
INFO : 2023-08-22 23:58:38Z - Running in dry run mode...
INFO : 2023-08-22 23:58:38Z - Checking rule 1...
DEBUG: 2023-08-22 23:58:38Z - Only delete packages that have not been requested in the last 90 days (since 5/25/2023 1:58:38 AM)
DEBUG: 2023-08-22 23:58:38Z - Only delete packages that have been downloaded fewer than 1 times.
DEBUG: 2023-08-22 23:58:38Z - Never delete the most recent 1 versions of packages.
INFO : 2023-08-22 23:58:38Z - Finding packages that match retention rule 1...

Hi,

We upgraded to Proget 2023.15 but now every morning the server is unavailable.

We see low virtual memory warnings in the eventlog mentioning the ProGet service.

ProGet.Service.exe (2812) consumed 10.343.374.848 bytes,

I uploaded the missing packages again by dropping everything I had in my local cache to the DropFolder en got my builds working again.

But when I look at one of the missing packages its shows up with all the download history when seen from the package itself but when I look at usage from the specific version its shows no recent downloads but only downloads fromn last month.

From build logs
NU1101: Unable to find package Neuron.Tenant.Monitor. No packages exist with this id in source(s): Vicrea, VicreaNuGet

Seen from package

Seen from specific version

Hi,

This is our setup, we force build all our products once a week and delete the nuget cache on the build server the night before. We had the default retention rule to delete packages that have not been requested in the last 90 days and that have been downloaded fewer than 1 times.

This works fine but packages that where downloaded once by a developer and later replaced by newer versions started to accumelate so I changed downloaded fewer that 1 times to 2 times. Reasening that every really used package is downloaded at least 12 times in the last 90 days because of the cleaned cache and the forced build.

Somehow this week packages that are clearly used are missing and I can see in the retention log that they have been deleted and i'm sure that they where downloaded more than twice in the last 90 days.

@stevedennis

I repackaged the Owin package but didn't relalize that that would break all my builds as the dll's are now in a 1.0.0 folder where all the project files expect them in the 1.0 folder.

I guess this would work if the projects are in sdk project format but most of them are not.

Hi,

We recently starting using SCA and have most of our products in there now but almost all of them show some unresolved issues.

It's always "Missing Package" but most often the same package is listed in the same list as resolved.

Some examples from different products:

#34 Owin 1.0.0 Unknown License Resolved on 5/9/2023 11:55 PM
#89 Owin 1.0.0 Missing Package Unresolved
(this one pops up in quite a few products)

#11 Microsoft.Web.Infrastructure 1.0.0 Unknown License Resolved on 5/13/2023 11:49 PM
#24 Microsoft.Web.Infrastructure 1.0.0 Missing Package Unresolved

#1 AutoMapper 10.1.1 Unknown License Resolved on 5/15/2023 5:30 PM
#57 AutoMapper 10.1.1 Missing Package Unresolved
#56 WiX 3.11.2 Unknown License Resolved on 5/15/2023 5:30 PM
#58 WiX 3.11.2 Missing Package Unresolved

All packages are exclusivly downloaded through Proget en we clean our nuget cache once a week on the buildservers.

We are running Version 2023.7 (Build 10)

Any tips on how to resolve there issues are welcome

I installed Version 2023.2 (Build 12) and added the @ back to the folder name and downloading now works.

But quering the versions does not work.

$ npm view @vicrea-neuron/kendo-theme versions
npm ERR! code E404
npm ERR! 404 Not Found - GET https://packages.vicrea.nl/npm/VicreaNpm/@vicrea-neuron%2fkendo-theme - Package not found.
npm ERR! 404
npm ERR! 404  '@vicrea-neuron/kendo-theme@latest' is not in this registry.
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

I renamed the folder on the server and downloading npm packages works.

After upgrading to 2023 we can no longer download npm packages.

An error occurred in the web application: Could not find a part of the path 'D:\ProGet\Packages.npm\F9\vicrea-neuron\kendo-theme\0.1.23\package.tgz'.

The real path where the package is located is
D:\Proget\Packages.npm\F9\@vicrea-neuron\kendo-theme\0.1.23\package.tgz

Somehow the @ in the path has disappeared.
Should we rename things on the server or update the database somehow.

Hi,

I just added all available sources as I didn't know which one to choose

• OSS Index
• PGVC
• ProGet Vulnerability Central

For now I removed OSS Index and ProGet Vulnerability Central and only have PGVC
(not sure what the difference between ProGet Vulnerability Central and PGVC is)

I set severity for these two vulnerabilities to caution
GHSA-wc69-rhjr-hc9g : Moment.js vulnerable to Inefficient Regular Expression Complexity
GHSA-8hfj-j24r-96c4 : Path Traversal: 'dir/../../filename' in moment.locale

Cleared the NuGet cache and ran a build that uses this package.

Then I started experimenting with turning things on and off and running the Tasks VulnerabilityDownloader and VulnerabilityDownloader.

With only PGVC I see only this one but not the other ones
GHSA-8hfj-j24r-96c4 : Path Traversal: 'dir/../../filename' in moment.locale

With OSS and PGVC I see 11 vulnerabilities but no duplicates

With all three I see 12 vulnerabilities and a duplicate for GHSA-8hfj-j24r-96c4
When I select them they have the same ID but vulnerabilityId in the url is different.

For now I turned ProGet Vulnerability Central off or should I used that one and turn PGVC off?

I'm using Version 2022.27 (Build 9)

Hi,

We recently started with the Software Composition Analysis feature of Proget and now have a good overview of the packages we use. We have set all unassesed vulnerabilities on caution so the builds won't fail but we do have a good overview of the vulnerabilities.

Weekly we clean the NuGet caches and run all our builds but these fail as a lot of assessments seem to reset and block the download. Here is an example but there are many many packages where we need to assess the same vulnerability over and over again which is tedious and in the end undoable.

Also:
I did remove the second website as we want ProGet to be running on the default web site on port 443 (https).

Installed the .NET 6.0 Web Hosting Bundle
I did a complete uninstall, an new install (choosing IIS)
Changed the application pool to No Managed Code and Integrated pipeline mode

And now it works, thank you for the tips.

I tried to upgrade again but simply changing the path IIS is not enough.

HTTP Error 500.19 - Internal Server Error
The requested page cannot be accessed because the related configuration data for the page is invalid.

We upgraded from 6.0.18 to 22.0.1 with InedoHub but the Web folder was missing and we could not longer access ProGet through IIS en https

When I use an api key, there seem to be no caching problems.

So I have this in my .npmrc
_auth=<base encoded string api:key>

I disabled the cache, but when I publish a new package its still not visible.

Version 1 is published
$ pnpm view @vicrea-neuron/progettest versions
[ '1.0.0' ]

Publish version 2
$ npm publish
npm notice
npm notice package: @vicrea-neuron/progettest@2.0.0
npm notice === Tarball Contents ===
npm notice 64B package.json
npm notice === Tarball Details ===
npm notice name: @vicrea-neuron/progettest
npm notice version: 2.0.0
npm notice package size: 162 B
npm notice unpacked size: 64 B
npm notice shasum: 7187dcb1f33b4025539a79b0728b0b33dd44af9a
npm notice integrity: sha512-G+8QbHgghLq4g[...]/Cn6P+qby28eQ==
npm notice total files: 1
npm notice

• @vicrea-neuron/progettest@2.0.0

It does not show up
$ pnpm view @vicrea-neuron/progettest versions
[ '1.0.0' ]

Only after an IIS reset version 2 is visible
$ pnpm view @vicrea-neuron/progettest versions
[ '1.0.0', '2.0.0' ]

As far as I know I did not do anything other then what the documentation said.
Which IIS settings would you like to see?

We changed from http to https using this documentation

https://docs.inedo.com/docs/various-iis-switching-to-iis

But now when we publish an npm package with npm publish we don't see the new version with pnpm view only after an IIS reset is the new package visible.

The package also don't show up in Latest Local Packages list, but do after an IIS reset