- 24 Mar 2023
- 2 Minutes to read
Projects and Releases
- Updated on 24 Mar 2023
- 2 Minutes to read
With Projects and Releases in ProGet, you can track the open source and third-party components (packages) your organization uses and identify issues such as vulnerabilities, license violations, and missing packages.
Projects and Releases will be automatically created when you integrate ProGet into your CI/CD pipeline, but you can also create, edit, and delete projects and releases from the web UI or by using the SCA API.
A project represents an application, microservice, or other software component built with open source or third-party software packages. Projects have a few basic fields and contain any number of releases.
|Name||This name is used when uploading/importing SBOM files to identify which project they belong to, and is also used when exporting SBOM files|
|Description||Markdown-formatted text that will be displayed under the project, and exported with the SBOM file|
|URL||Not displayed in the UI, but exported with the SBOM file|
|Type||Not displayed in the UI, but exported with the SBOM|
|Owner||An email address that will be notified when issues are discovered|
In general, projects should be used for deployable software, not library packages. For example, a NuGet or npm package uses dependencies to specify the packages it needs. These dependencies usually don't specify an exact version number, but a range of versions that are acceptable.
This means that you generally cannot know what specific versions of other library packages a library package will use until you actually try to use it.
A release represents a specific version of an application, microservice, or other software component and contains an inventory (a list) of the names and specific versions of third-party and open-source components (packages) used to create that release.
When ProGet detects an issue with one of these packages, such as an unwanted license or a new security vulnerability, an issue is created and the project owner is notified. From there, the issue can be remediated or resolved.
See Release Analysis & Issues to learn more.
The Packages tab on the release overview page displays all packages included in the release, their licenses, and security vulnerabilities.
Packages can be added to a release by uploading an SBOM document to the release.
If you need to add, remove, or modify packages to a release, navigate to Edit Release > Edit Packages and modify the provided package list. This should be done infrequently, as packages should be added automatically during the build process. You can also delete packages from the Packages tab.
Status & Lifecycle
You can mark a release as "inactive", which means that it will no longer be analyzed or displayed on the Usage tab of a package. Releases should be considered active if they are currently in development or production, and inactive if they have never been deployed or are no longer in use.