Vulnerability Scanning and Blocking
  • 28 Jun 2022
  • 6 Minutes to read
  • Dark
    Light
  • PDF

Vulnerability Scanning and Blocking

  • Dark
    Light
  • PDF

ProGet can automatically scan the third-party, open-source packages and container images that you're using for vulnerabilities, and allow you to assess the risk that they may pose.

This enables you to:

  • Block packages or container images that you deem too risky to use
  • Warn users of vulnerabilities that they should be careful with
  • Identify which of your Projects and Releases are impacted by vulnerabilities
  • Alert you when new vulnerabilities are discovered

This article will explain how vulnerability scanning works,

Get Started with Vulnerability Scanning in Minutes

For a walkthrough on how to configure vulnerability scanning in just a few minutes, see HOWTO: Scan & Block Packages with OSS Index.

What are Vulnerability Sources?

ProGet works with leading vulnerability data providers that aggregate vulnerability records from databases like the National Vulnerability Database.. These data providers are called "vulnerability sources", and after configuring them to scan your feeds, ProGet will routinely download vulnerability records that relate to your packages and container images.

To configure vulnerability sources, navigate to Reporting & SCA > Vulnerabilities:

Configure Vulnerability Source

There are currently two vulnerability sources in ProGet:

  • OSS Index is free software service that catalogs open source packages and identifies vulnerabilities
  • Clair is a free, self-managed tool that scans for vulnerabilities in your container images.

We may add additional vulnerability sources later from other vendors. Some users have created their own vulnerability sources using the Inedo SDK.

Note that Clair requires extra setup, the details for which can be found in the configuring clair in ProGet section. If you don't see OSS Index as a vulnerability source or WhiteSource as a package access rule, check Admin > Extensions to make sure those extensions are installed

Routine Vulnerability Scanning

Vulnerability sources download vulnerabilities on a routine basis by using the VulnerabilityDownloader scheduled job. By default, this will run on a nightly basis, but you can configure it to run at different times.

You can also manually run the job by navigating to Administration -> Scheduled Jobs page. Then click the green play button to the right of the VulnerabilityDownloader task.

Feeds & Download Blocking

After setting-up a vulnerability source in ProGet, you can select which feeds you'd like to configure for vulnerability scanning and blocking by navigating to Reporting & SCA > Vulnerabilities:

ProGet Vulnerability Configuration

When a feed is scanned by a vulnerability source, ProGet will display vulnerability information on packages and may be configured to block downloads.

Assessing Vulnerabilities

Both the manual and OSS Index workflows use vulnerability reports, which essentially identify that a particular package or versioned range of packages has a known vulnerability. This record is either manually entered or is imported from OSS Index, based on packages in a particular feed.

For container reports, Clair attempts to determining which operating system (OS) a container image was built with and then uses that OS to scan specific security databases to check for vulnerabilities. These vulnerabilities are then automatically associated with the container's affected layer within the registry Clair was configured to scan. Manual vulnerability records can also be added to affected container layers by specifying that layer's digest.

All newly entered or imported vulnerability reports are considered unassessed, which means that packages matching the vulnerability will be blocked until the report is assessed. An assessment involves an authorized user reviewing the report, choosing an assessment type (Ignore, Caution, Block), and leaving an optional comment.

Assessment Expiry

An "assessment" you make on a package or container image vulnerability may be configured to expire. This means that, unless it's reassessed, the vulnerability report will be considered "unassessed" after expiry.

There are two primary use-cases for expiration.

  • If you permit packages or container images with unassessed vulnerabilities to be downloaded, this means that you can use an expiring assessment to temporary block a package.
  • If you block unassessed vulnerabilities, then you can use an expiring assessment to temporary un-block a package.

The reason to temporarily block or unblock packages is due to the nature of security vulnerabilities. Just because a particular package or container image has a security vulnerability, it doesn't mean your application will utilize the vulnerable aspects. In fact, constantly jumping to newer versions just to avoid reported vulnerabilities is often less secure - the newer versions have unknown vulnerabilities, which you might be using.

By temporary unblocking packages and container images, you can periodically review how engineers are using them. The usage may have changed.

Blocking a Package Download

Selecting Blocked will prevent any packages within the version range or container images that include the vulnerable layer to be downloaded. From the Vulnerabilities page or the Vulnerabilities tab on the package or container image page, selecting the vulnerability, then Assess, and choose Blocked, optionally adding a comment.

Browsing to a package version within the range specified or a container image with an associated layer in the blocked vulnerability will display Blocked where the download button would normally be, and the package or container image will be not be downloadable from its associated feed API.

Note: while the package version or container image is blocked from download, it may still appear in search or list results.

Assessment Types

ProGet comes with three built-in assessment types:

  • Ignore indicates that the vulnerability report is not applicable or irrelevant and therefore allows for packages to be downloaded
  • Caution tells developers to be careful to avoid the vulnerability; packages may be downloaded, but a warning is issued on the web UI
  • Blocked means a vulnerability is too severe to allow use, and packages are prevented from being downloaded

You can edit or create your own assessment type by going to Admin > Assessment Types, and specifying a name, expiration (days), color, whether or not packages would be blocked, and an auto-assessment range.

Automatically Assess Vulnerabilities

ProGet can automatically assess new vulnerabilities based on a vulnerability's CVE Score. You can configure this by simply creating or editing the auto-assessment range on an assessment type.

Edit Auto-assess Settings

Note that auto-assessment only applies to new vulnerabilities; if an assessment expires, it will not be automatically re-assessed.

Manual Vulnerability Records

You can also add a manual vulnerability record on a specific package version (or version ranges), or on a container image layer. One reason you may wish to do this is if you discover a vulnerability that isn't yet publicly disclosed.

To add manual records, navigate to the Vulnerabilities tab on the package or container image page then click the Add Vulnerability button to specify the feed, the package ID and version(s) or the container image layer digest, and the details of the vulnerability.

Version Ranges

Manual vulnerability records may encompass multiple package versions using version range syntax, for example:

Range Meaning
3.0.0 version = 3.0.0
[3.0] version = 3.0
<=2.0 version <= 2.0
[1.3,1.4] 1.3 <= version <= 1.4
>=1.3 <=1.4 1.3 <= version <= 1.4
>2.5 version > 2.5
<=1.0,>=1.2 version <= 1.0 or version >= 1.2
<1.1 >1.1 Exclude version 1.1

Note: versions must be specified out to their full value to match. For example, 2.0 will not match 2.0.0

Due to the inconsistency on container repository tags, container registries are not compatible with version ranges.

ProGet 6.0 and Earlier

Projects and Releases, as well as vulnerability notifications are only available in ProGet 2022 and later.

The ability to Automatically Assess Vulnerabilities is only available in ProGet 6.0 and later.

In ProGet 6.0 and earlier, vulnerability sources were configured on the main Vulnerabilities, and then on each feeds Detection and Blocking tab.


Was this article helpful?