HOWTO: Scan and Block Packages in ProGet

Configuring ProGet to automatically scan third-party open-source packages and container images for vulnerabilities is simple and straightforward.

This guide will explain how to scan and assess vulnerabilities, and how you can configure blocking rules and assessments when a package is found to be vulnerable.

Step 1: Enable ProGet Vulnerability Central (PGVC)

ProGet uses ProGet Vulnerability Central (PGVC) to scan packages. This aggregates leading vulnerability databases such as GitHub Security Advisories, PyPA and Global Security Database, and will be enabled by default.

You can configure PGVC and manage your vulnerability sources by navigating to "Administration Overview" > "Vulnerabilities Sources" under "Vulnerability Management".

ProGet also supports the use of third-party vulnerability sources; see HOWTO: Integrate OSS Index with ProGet to learn more.

Step 2: Enable Feed Feature

To configure vulnerability blocking on a feed, first navigate to the feed and click the "Manage Feed" button.

Then click "change" in the Feed Features section under "Other Settings".

Enable "Display vulnerability information and enforce download blocking rules" and click "Save".

Step 3: Find Vulnerable Package

Now, you can navigate to your package of interest and click on the "Vulnerabilities" tab.

From here you can click on the vulnerabilities found in your package to get more details and decide how to assess them.

When a package, such as Newtonsoft.Json 12.0.3, has a severe vulnerability, you’ll see this message on the overview page:

Step 4: Enable Download Blocking Rules

Package blocking, available with paid ProGet, is configured on a feed-by-feed basis.

Blocking rules allow you to specify feeds in which packages will be blocked if they are assessed to have vulnerabilities.

Navigate to "Reporting & SCA" > "Vulnerabilities" and click "Configure Vulnerability Blocking".

Locate your vulnerability source, add your feed to the right, and then click "Save".

Now the Download Blocking rules have been configured, any packages in the feeds selected that are assessed to have vulnerabilities will be categorized as "Blocked" and will not be downloaded, with any attempt to download the package from the API resulting in a "404" error.

Step 5: Assess Package Vulnerabilities

Vulnerabilities can be viewed by navigating to a package in your feed and selecting "Vulnerabilities", such as this vulnerability on the Newtonsoft.Json 12.0.3 package: Improper Handling of Exceptional Conditions in Newtonsoft.Json.

To assess a vulnerability, either navigate to the package's vulnerability tab or to "Reporting & SCA" > "Vulnerabilities", find the vulnerability you would like to assess and click the assessment.

ProGet comes with three built-in assessment types:

• Ignore indicates that the vulnerability report is not applicable or irrelevant and therefore allows packages to be downloaded
• Caution tells developers to be careful to avoid the vulnerability; packages can be downloaded, but a warning is issued on the web UI
• Blocked means that a vulnerability is too severe to allow use and packages cannot be downloaded

Select the assessment type, enter a comment, and click the "Save" button.

When choosing "Blocked", attempts to download the package from the API will now result in a "404" error, and a successfully blocked package will be shown on your feed "Overview" as shown below:

Step 6: (Optional) Add Custom Assessment Types

We recommend using auto assessment in combination with a package approval workflow.

You can edit or create your own assessment type and set up auto-assessment by navigating to "Administration Overview" > "Assessment Types" under "Vulnerability Management".

From here you can create an assessment type by clicking "Create Assessment Type".

By default, the assessment types of Caution, Blocked, and Ignore will be presented but they will not become automated unless the Auto Assess (CVS) is changed from Do Not Auto Assess to a specified range.

Auto assessment can be customized to your preferences. However, if you’re unsure of what the best option is; we recommend reading our page on Vulnerability Scanning & Blocking.

Once you have entered the details of your Assessment Type, click "Save".