- 28 Jun 2022
- 1 Minute to read
Releases Analysis & Issues
- Updated on 28 Jun 2022
- 1 Minute to read
ProGet will routinely analyze your active releases for new vulnernabilities or unwanted licenses in the packages it uses. When such a package is found, ProGet will create an "issue" on the release that you can resolve.
When ProGet first detects an issue with one of the packages in a release, it's added as an unresolved issue to the release.
An issue can then be resolved in two ways:
- Automatically Resolved; the next time ProGet analyzes a release, if the issue is no longer present, then it will automatically be resolved
- Manually Resolved; a user can mark an issue as resolved after determining that the issue won't impact the release
Issues may also be deleted, but they will likely return then next time the release is analyzed.
There are three types of issues that ProGet will identify.
This means the package is not stored in ProGet, and that ProGet won't be able to scan for vulnerabilities, outdated packages, or license violations on the package.
There are generally two ways that this can happen:
- Release was built without referencing ProGet; for example, if the build server went directly to a public repository like
npmjs.org, then ProGet wouldn't have cached or otherwise used that package. To resolve this, make sure your build servers only communicate with ProGet.
- Package was deleted from ProGet; this may be a result of a retention rule deleting cached packages. To resolve this, make sure retention rules don't delete used packages
This means that the package has a vulnerability with one of the following assessment states:
- "Severe" or "Warning"; these are built-in severity levels
- "Custom" and Blocked; for custom severity level, if you selected "block downloads"
- Unassessed and Block Unassessed; if the vulnerability has not been assessed, but "block unassessed" is configured as system-level option
Unwanted License Package
This means that the package uses a license that would normally cause the download to be blocked. For example, if the package has a
GPL3 license, and there is a block rule for that.
Unwanted License Packages will not automatically resolve unless you change license blocking rules.