Releases Analysis & Issues
  • 28 Jun 2022
  • 1 Minute to read
  • Dark
    Light
  • PDF

Releases Analysis & Issues

  • Dark
    Light
  • PDF

ProGet will routinely analyze your active releases for new vulnernabilities or unwanted licenses in the packages it uses. When such a package is found, ProGet will create an "issue" on the release that you can resolve.

ProGet Release Issues

Release Issues

When ProGet first detects an issue with one of the packages in a release, it's added as an unresolved issue to the release.

An issue can then be resolved in two ways:

  • Automatically Resolved; the next time ProGet analyzes a release, if the issue is no longer present, then it will automatically be resolved
  • Manually Resolved; a user can mark an issue as resolved after determining that the issue won't impact the release

Resolve Issue

Issues may also be deleted, but they will likely return then next time the release is analyzed.

There are three types of issues that ProGet will identify.

Missing Package

This means the package is not stored in ProGet, and that ProGet won't be able to scan for vulnerabilities, outdated packages, or license violations on the package.

There are generally two ways that this can happen:

  • Release was built without referencing ProGet; for example, if the build server went directly to a public repository like nuget.org or npmjs.org, then ProGet wouldn't have cached or otherwise used that package. To resolve this, make sure your build servers only communicate with ProGet.
  • Package was deleted from ProGet; this may be a result of a retention rule deleting cached packages. To resolve this, make sure retention rules don't delete used packages

Vulnerable Package

This means that the package has a vulnerability with one of the following assessment states:

  • "Severe" or "Warning"; these are built-in severity levels
  • "Custom" and Blocked; for custom severity level, if you selected "block downloads"
  • Unassessed and Block Unassessed; if the vulnerability has not been assessed, but "block unassessed" is configured as system-level option

Unwanted License Package

This means that the package uses a license that would normally cause the download to be blocked. For example, if the package has a GPL3 license, and there is a block rule for that.

Unwanted License Packages will not automatically resolve unless you change license blocking rules.


Was this article helpful?