Releases Analysis & Issues
  • 24 Mar 2023
  • 1 Minute to read
  • Dark
    Light
  • PDF

Releases Analysis & Issues

  • Dark
    Light
  • PDF

Article Summary

ProGet will routinely analyze your active releases for new vulnernabilities or unwanted licenses in the packages it uses. When such a package is found, ProGet will create an "issue" on the release that you can resolve.

ProGet Release Issues

Release Issues

The first time ProGet detects an issue with one of the packages in a release, it's added to the release as an unresolved issue.

An issue can then be fixed in one of two ways:

  • Automatically resolved; the next time ProGet analyzes a release and the issue is no longer present, it's automatically resolved
  • Manually resolved; a user can mark an issue as resolved after determining that the issue has no impact on the release

Resolve Issue

Issues can also be deleted, but they will then probably reappear in the next release analysis.

There are three types of issues that ProGet will identify:

Missing Package

This means that the package isn't stored in ProGet and that ProGet isn't able to check the package for security vulnerabilities, obsolete packages or license violations.

In general, there are two ways this can happen:

  • The release was built without referencing ProGet; for example, if the build server directly accesses a public repository such as 'nuget.org' or 'npmjs.org', then ProGet didn't cache or otherwise use this package. To fix this, make sure your build servers only communicate with ProGet.
  • Package was deleted from ProGet; this may be a result of a retention rule that deletes cached packages. To fix this, ensure that the retention rules don't delete used packages

Vulnerable Package

This means that the package has a vulnerability with one of the following assessment states:

  • "Severe" or "Warning"; these are built-in severity levels
  • "Custom" and Blocked; for custom severity level, if you selected "block downloads"
  • Unassessed and Block Unassessed; if the vulnerability has not been assessed, but "block unassessed" is configured as system-level option

Unwanted License Package

This means that the package uses a license that would normally cause the download to be blocked. For example, if the package has a GPL-3 license, and there is a block rule for that particular license.

Unwanted License Packages will not automatically resolve unless you change license blocking rules.


Was this article helpful?