- 01 Mar 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
[ProGet 2024 Preview] HOWTO: Scan and Block Packages
- Updated on 01 Mar 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
ProGet 2024 will also introduce Package Policies, a new feature to help you determine whether packages are compliant, noncompliant, or in between (warn). You can also define exceptions to allow internal or trusted third-party packages to use different rules.
ProGet 2024 will no longer require "Vulnerability Sources" to be configured, and you'll be able to perform granular assessments (even on feed-by-feed level if needed). In addition, ProGet will be more tightly integrated with Inedo Security Labs allowing you to learn from our experts on how to best remediate and assess specific vulnerabilities found in your packages. You'll also be able to configure alerts (Webhooks, Emails) when vulnerabilities are detected.
Configuring ProGet to automatically scan third-party open-source packages and container images for vulnerabilities is simple and straightforward.
This guide will explain how to scan and assess vulnerabilities, and how you can configure blocking rules and assessments when a package is found to be vulnerable.
Prerequisites
This requires ProGet 2024, which is not yet released. However, on ProGet 2023.30 or later, you can follow these steps by enabling the Vulnerabilities and Policies Preview Features.
Otherwise, see HOWTO: Scan and Block Packages in ProGet to learn how to configure this in ProGet 2023.
Enabling the Vulnerabilities Preview Feature
Navigate to "Reporting & SCA" > "Vulnerabilities" and select "Enable Vulnerabilities Feature Preview..."
Enabling the Preview Feature will also download the latest vulnerability definitions from Inedo Security Labs
For new installs of ProGet 2023.29 and above, this feature is enabled by default. To disable the feature, click "Edit Settings", then "switch back and disable", and then "Disable Vulnerabilities Feature Preview".
Package Policies Preview Feature
Navigate to "Administration Overview" and select "Policies (ProGet 2024 Preview Feature) under "Global Components".
Then select "Vulnerabilities Preview Feature".
You can disable Package Policies under Admin > Policies.
Step 1: Enable Vulnerabilities Feed Feature
This step is enabled by default. Unless this feature is disabled on your instance, you can skip to step 2.
To configure vulnerability blocking on a feed, first navigate to the feed and click the "Manage Feed" button.
Then click "change" in the Feed Features section under "Other Settings".
Enable "Display vulnerability information and enforce download blocking rules" and click "Save".
For container feeds such as Docker, you also need to make sure "Layer Scanning" is enabled. This is found under the container settings (e.g. "Docker Settings) when navigating to "Manage Feed" following the instructions above. As with the other settings in this step, this is enabled by default.
Step 2: Find Vulnerable Package
Now, you can navigate to your package of interest and click on the "Vulnerabilities" tab.
From here you can click on the vulnerabilities found in your package to get more details and a description of the vulnerability, as well as a link to it's page on Inedo Security Labs
When a package, such as Newtonsoft.Json 12.0.3, has a vulnerability, you’ll see this message on the overview page:
Step 3: Assess Vulnerability
Vulnerabilities can be viewed by navigating to a package in your feed and selecting "Vulnerabilities", such as this vulnerability on the Newtonsoft.Json 12.0.3 package: Improper Handling of Exceptional Conditions in Newtonsoft.Json.
To assess a vulnerability, either navigate to the package's vulnerability tab or to "Reporting & SCA" > "Vulnerabilities", find the vulnerability you would like to assess, and click the assessment.
ProGet comes with three built-in assessment types:
- Ignore indicates that the vulnerability report is not applicable or irrelevant and therefore allows packages to be downloaded
- Caution tells developers to be careful to avoid the vulnerability; packages can be downloaded, but a warning is issued on the web UI
- Blocked means that a vulnerability is too severe to allow use and packages cannot be downloaded
Select the assessment type, enter a comment, and click the "Save" button.
You can also set an expiry date by navigating to the advanced tab and entering a date in the "Expires" field using the format "mm/dd/yyyy".
When choosing "Blocked", attempts to download the package from the API will now result in a "404" error, and a successfully blocked package will be shown on your feed "Overview" as shown below:
Step 4: (Optional) Edit Package Policy Rules
Package compliance policies, available with paid ProGet, is configured on a feed-by-feed basis.
However, you can also set global compliance rules allowing you to block any package with unassessed vulnerabilities.
Navigate to "Administration Overview" and select "Policies (ProGet 2024 Preview Feature) under "Global Components".
Then select "edit" on the right of "Global" policies.
Under the "Vulnerability Rules" category, select "edit". Now select the "General" tab and under "unassessed vulnerabilities" select "Non-Compliant". Then select "Save".
Now the compliance rules have been configured, any packages that are assessed to have unassessed vulnerabilities will be categorized as "Blocked" and will not be downloaded, with any attempt to download the package from the API resulting in a "404" error.
Step 5: (Optional) Add Custom Assessment Types
We recommend using auto assessment in combination with a package approval workflow.
You can edit or create your own assessment type and set up auto-assessment by navigating to "Administration Overview" > "Assessment Types" under "Vulnerability Management".
From here you can create an assessment type by clicking "Create Assessment Type".
By default, the assessment types of Caution, Blocked, and Ignore will be presented but they will not become automated unless the Auto Assess (CVS) is changed from Do Not Auto Assess to a specified range.
Auto assessment can be customized to your preferences. However, if you’re unsure of what the best option is; we recommend reading our page on Vulnerability Scanning & Blocking.
Once you have entered the details of your Assessment Type, click "Save".
Note that expiration days will set the expiry date on "auto-assess" only.
Step 6: (Optional) Scan Container Vulnerabilities
To scan containers for vulnerabilities, ProGet extracts and inspects the files within each container image layer and looks for vulnerable packages that are installed. The "Packages" and "Vulnerabilities" tab of a container image will show these: