HOWTO: Scan and Block Packages in ProGet
  • 04 Oct 2023
  • 3 Minutes to read
  • Dark
    Light
  • PDF

HOWTO: Scan and Block Packages in ProGet

  • Dark
    Light
  • PDF

Article Summary

Configuring ProGet to automatically scan third-party open-source packages and container images for vulnerabilities is simple and straightforward.

This guide will explain how to scan and assess vulnerabilities, and how you can configure blocking rules and assessments when a package is found to be vulnerable.

Step 1: Enable ProGet Vulnerability Central (PGVC)

ProGet uses ProGet Vulnerability Central (PGVC) to scan packages. This aggregates leading vulnerability databases such as GitHub Security Advisories, PyPA and Global Security Database, and will be enabled by default.

You can configure PGVC and manage your vulnerability sources by navigating to "Administration Overview" > "Vulnerabilities Sources" under "Vulnerability Management".

Administration Overview

ProGet also supports the use of third-party vulnerability sources; see HOWTO: Integrate OSS Index with ProGet to learn more.

Step 2: Enable Feed Feature

To configure vulnerability blocking on a feed, first navigate to the feed and click the "Manage Feed" button.

Manage Feed

Then click "change" in the Feed Features section under "Other Settings".

Change Feed Features

Enable "Display vulnerability information and enforce download blocking rules" and click "Save".

Change Feed Features

Step 3: Find Vulnerable Package

Now, you can navigate to your package of interest and click on the "Vulnerabilities" tab.

From here you can click on the vulnerabilities found in your package to get more details and decide how to assess them.

jQuery Package Vulnerabilities

When a package, such as Newtonsoft.Json 12.0.3, has a severe vulnerability, you’ll see this message on the overview page:

Vulnerability Detected

Step 4: Enable Download Blocking Rules

Package blocking, available with paid ProGet, is configured on a feed-by-feed basis.

Blocking rules allow you to specify feeds in which packages will be blocked if they are assessed to have vulnerabilities.

Navigate to "Reporting & SCA" > "Vulnerabilities" and click "Configure Vulnerability Blocking".

Locate your vulnerability source, add your feed to the right, and then click "Save".

Configure Vulnerability

Now the Download Blocking rules have been configured, any packages in the feeds selected that are assessed to have vulnerabilities will be categorized as "Blocked" and will not be downloaded, with any attempt to download the package from the API resulting in a "404" error.

Step 5: Assess Package Vulnerabilities

Vulnerabilities can be viewed by navigating to a package in your feed and selecting "Vulnerabilities", such as this vulnerability on the Newtonsoft.Json 12.0.3 package: Improper Handling of Exceptional Conditions in Newtonsoft.Json.

proget-vulnerabilities-package-tab

To assess a vulnerability, either navigate to the package's vulnerability tab or to "Reporting & SCA" > "Vulnerabilities", find the vulnerability you would like to assess and click the assessment.

ProGet comes with three built-in assessment types:

  • Ignore indicates that the vulnerability report is not applicable or irrelevant and therefore allows packages to be downloaded
  • Caution tells developers to be careful to avoid the vulnerability; packages can be downloaded, but a warning is issued on the web UI
  • Blocked means that a vulnerability is too severe to allow use and packages cannot be downloaded

Assess Package Vulnerability

Select the assessment type, enter a comment, and click the "Save" button.

When choosing "Blocked", attempts to download the package from the API will now result in a "404" error, and a successfully blocked package will be shown on your feed "Overview" as shown below:

Package Blocked

Step 6: (Optional) Add Custom Assessment Types

We recommend using auto assessment in combination with a package approval workflow.

You can edit or create your own assessment type and set up auto-assessment by navigating to "Administration Overview" > "Assessment Types" under "Vulnerability Management".

ProGet Assessment Type Setting

From here you can create an assessment type by clicking "Create Assessment Type".

Manage Assessment Types

By default, the assessment types of Caution, Blocked, and Ignore will be presented but they will not become automated unless the Auto Assess (CVS) is changed from Do Not Auto Assess to a specified range.

Create Assessment Type

Auto assessment can be customized to your preferences. However, if you’re unsure of what the best option is; we recommend reading our page on Vulnerability Scanning & Blocking.

Once you have entered the details of your Assessment Type, click "Save".


Was this article helpful?