HOWTO: Integrate OSS Index with ProGet
  • 12 Aug 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

HOWTO: Integrate OSS Index with ProGet

  • Dark
    Light
  • PDF

Article Summary

ProGet’s integrated vulnerability scanning allows you to effortlessly assess package vulnerabilities by setting up customized auto-assessment rules, and is recommended for the purpose of scanning, assessing and blocking vulnerabilities.

However many organizations may already be using or wish to use OSS Index for this purpose. This article will walk through how to integrate OSS Index with ProGet to scan for and assess vulnerabilities.

Step 1: Create or login into your OSS Index Account

To begin, create or login into your OSS index account.

Sonatype OSS Index Sign In Page

Step 2: Locate your API token

After logging in, navigate to user settings and locate your API token.

User Settings Page With API Token

Copy this API key as You will need it in future steps.

Step 3: Disable ProGet Vulnerability Central

In ProGet, navigate to "Administration Overview" > "Vulnerabilities Sources" under "Vulnerability Management".

Administration Overview

On the "Manage Vulnerability Sources" page, click "Disable PGVC (not recommended)" to disable ProGet Vulnerability Central.

Manage Vulnerability Sources

Step 4: Add OSS Index as a Vulnerability Source

On the same page, select "add vulnerability source", and select "OSS Index" from the modal window that appears.

Add Vulnerability Source

Enter a name for the vulnerability source, your OSS Index account email, and the API key you copied in Step 2. Then click "Save". You will now see the newly created OSS Index source listed under "Vulnerability Sources".

Add OSS Index

Step 4: Run the Vulnerability Scanner and Assess Vulnerabilities

Packages are now ready to be scanned and assessed for vulnerabilities, which can be done by following our HOWTO: Scan and Block Packages in ProGet guide.

Troubleshooting

Issue: The option to configure a vulnerability source or to select OSS index is missing.

This can be fixed by verifying the Sonatype extension is installed. Navigate to "Administration Overview" > "Extensions" under "Integrations & Extensibility".

Administration Overview

Next, click on the "Sonatype" box under "Available Extensions" and install the extension. It should now appear under "Installed Extensions".

Sonatype extension

Issue: Instead of having an option to create a vulnerability source you only see configure.

First, verify your vulnerability source exists by navigating to "Administration Overview" > "Vulnerability Source" under "Vulnerability Management". If there is not already an OSS Index based vulnerability source there, create a new vulnerability source by clicking "add vulnerability source".

Add Vulnerability Source

If you do not have the option to create a new vulnerability source, please verify your Sonatype extension is installed.

Now, navigate to "Reporting & SCA" > "Vulnerabilities" and click on "Configure Vulnerability Download Blocking".

Configure Blocking

From here you can select the feeds that you wish to use blocking rules with.

Blocking Rules

Issue: My ProGet isn't scanning for vulnerabilities right away

By default, packages will be scanned by the vulnerability downloader at 2:00am every day, but in order to get your packages scanned immediately, we recommend manually running the vulnerability scanner now. Refer to Step 4 of this guide.

Alternatively, when you navigate to Reporting & SCA > Vulnerabilities for the first time, you will be prompted to Run Job Now.

First-time scan


Was this article helpful?