HOWTO: Integrate OSS Index with ProGet

ProGet’s integrated vulnerability scanning allows you to effortlessly assess package vulnerabilities by setting up customized auto-assessment rules, and is recommended for the purpose of scanning, assessing and blocking vulnerabilities.

However many organizations may already be using or wish to use OSS Index for this purpose. This article will walk through how to integrate OSS Index with ProGet to scan for and assess vulnerabilities.

Step 1: Create or login into your OSS Index Account

To begin, create or login into your OSS index account.

Step 2: Locate your API token

After logging in, navigate to user settings and locate your API token.

Copy this API key as You will need it in future steps.

Step 3: Disable ProGet Vulnerability Central

In ProGet, navigate to "Administration Overview" > "Vulnerabilities Sources" under "Vulnerability Management".

On the "Manage Vulnerability Sources" page, click "Disable PGVC (not recommended)" to disable ProGet Vulnerability Central.

Step 4: Add OSS Index as a Vulnerability Source

On the same page, select "add vulnerability source", and select "OSS Index" from the modal window that appears.

Enter a name for the vulnerability source, your OSS Index account email, and the API key you copied in Step 2. Then click "Save". You will now see the newly created OSS Index source listed under "Vulnerability Sources".

Step 4: Run the Vulnerability Scanner and Assess Vulnerabilities

Packages are now ready to be scanned and assessed for vulnerabilities, which can be done by following our HOWTO: Scan and Block Packages in ProGet guide.

Troubleshooting

Issue: The option to configure a vulnerability source or to select OSS index is missing.

This can be fixed by verifying the Sonatype extension is installed. Navigate to "Administration Overview" > "Extensions" under "Integrations & Extensibility".

Next, click on the "Sonatype" box under "Available Extensions" and install the extension. It should now appear under "Installed Extensions".

Issue: Instead of having an option to create a vulnerability source you only see configure.

First, verify your vulnerability source exists by navigating to "Administration Overview" > "Vulnerability Source" under "Vulnerability Management". If there is not already an OSS Index based vulnerability source there, create a new vulnerability source by clicking "add vulnerability source".

Now, navigate to "Reporting & SCA" > "Vulnerabilities" and click on "Configure Vulnerability Download Blocking".

From here you can select the feeds that you wish to use blocking rules with.

Issue: My ProGet isn't scanning for vulnerabilities right away

By default, packages will be scanned by the vulnerability downloader at 2:00am every day, but in order to get your packages scanned immediately, we recommend manually running the vulnerability scanner now. Refer to Step 4 of this guide.

Alternatively, when you navigate to Reporting & SCA > Vulnerabilities for the first time, you will be prompted to Run Job Now.