Contents x
    Releases Analysis & Issues
    • 24 Mar 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Releases Analysis & Issues

    • Updated on 24 Mar 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    ProGet will routinely analyze your active releases for new vulnernabilities or unwanted licenses in the packages it uses. When such a package is found, ProGet will create an "issue" on the release that you can resolve.

    ProGet Release Issues

    Release Issues

    The first time ProGet detects an issue with one of the packages in a release, it's added to the release as an unresolved issue.

    An issue can then be fixed in one of two ways:

    • Automatically resolved; the next time ProGet analyzes a release and the issue is no longer present, it's automatically resolved
    • Manually resolved; a user can mark an issue as resolved after determining that the issue has no impact on the release

    Resolve Issue

    Issues can also be deleted, but they will then probably reappear in the next release analysis.

    There are three types of issues that ProGet will identify:

    Missing Package

    This means that the package isn't stored in ProGet and that ProGet isn't able to check the package for security vulnerabilities, obsolete packages or license violations.

    In general, there are two ways this can happen:

    • The release was built without referencing ProGet; for example, if the build server directly accesses a public repository such as 'nuget.org' or 'npmjs.org', then ProGet didn't cache or otherwise use this package. To fix this, make sure your build servers only communicate with ProGet.
    • Package was deleted from ProGet; this may be a result of a retention rule that deletes cached packages. To fix this, ensure that the retention rules don't delete used packages

    Vulnerable Package

    This means that the package has a vulnerability with one of the following assessment states:

    • "Severe" or "Warning"; these are built-in severity levels
    • "Custom" and Blocked; for custom severity level, if you selected "block downloads"
    • Unassessed and Block Unassessed; if the vulnerability has not been assessed, but "block unassessed" is configured as system-level option

    Unwanted License Package

    This means that the package uses a license that would normally cause the download to be blocked. For example, if the package has a GPL-3 license, and there is a block rule for that particular license.

    Unwanted License Packages will not automatically resolve unless you change license blocking rules.

    Was this article helpful?
    What's Next
    Windows-first DevOps Tools.
    Products
    Company
    Support
    Follow us
    My Inedo
    Connect with Inedo
      Copyright © Inedo LLC. All Rights Reserved