HOWTO: Scan & Block Packages with OSS Index

ProGet’s integrated vulnerability scanning allows you to effortlessly assess package vulnerabilities by setting up customized auto-assessment rules.

Open-source packages come with security risks that should not be ignored but checking and assessing every vulnerability is impractical. ProGet can automatically block, allow, or flag packages based on the severity level that you set.

This article will walk through how to configure ProGet to scan for vulnerabilities and block packages.

Step 1: Create or login into your OSS Index Account

ProGet uses Sonatype OSS Index to scan for package vulnerabilities, so—in order to begin—you will need to create or login into your OSS index account.

Step 2: Locate your API token

After logging in, navigate to user settings and locate your API token.

You will need this API key in the next step, so make sure to copy or write it down.

Step 3: Configure your feed’s vulnerability source

In ProGet, navigate to Reporting & SCA > Vulnerabilities.

After clicking on OSS index, fill out the relevant fields. Make sure to use the API key you located in Step 2.

Manually Run the Vulnerability Scanner

By default, packages will be scanned by the vulnerability downloader at 2:00am every day, but in order to get your packages scanned immediately, we recommend manually running the vulnerability scanner now. Navigate to Scheduled Jobs > VulnerabilityDownloader by clicking on the gear icon in the top-right corner.

Then, click on green play button.

You can adjust the frequency of the job, but we don’t recommend doing so because Sonatype OSS Index is rate limited.

During the scan, your packages will be inspected for vulnerabilities against Sonatype OSS Index database. A live action log output will be displayed when the scan is completed. This log can also help with debugging and diagnosis.

Step 4: Assess Package Vulnerabilities

View Package Vulnerabilities

After running the vulnerability scanner, you will be able to navigate to your package of interest and click on the vulnerabilities tab. From here you can click on the vulnerabilities found in your package to get more details and decide how to assess them.

Assess Package Vulnerabilities

ProGet comes with three built-in assessment types:

• Ignore: Indicates that the vulnerability report is not applicable or irrelevant and therefore allows for packages to be downloaded
• Caution: Tells developers to be careful to avoid the located vulnerability; packages may be downloaded, but a warning is issued on the web UI
• Blocked: Means a vulnerability is too severe to allow use, and packages are prevented from being downloaded

You can either click on each vulnerability and assess them individually, bulk edit, or auto assess. We recommend using the auto assess feature so you can automate as much of the process as possible. The next step will show how to customize auto assessment and best practices.

Step 5: Customize Vulnerability Assessment

Auto Assessment

We recommend using auto assessment in combination with a package approval workflow.

You can edit or create your own assessment type and set up auto assessment by clicking on the gear icon in the top-right corner. From here, navigate to Assessment Types under Vulnerability Management.

By default, the assessment types of Caution, Blocked, and Ignore will be presented but they will not become automated unless the Auto Assess (CVS) is changed from Do Not Auto Assess to a specified range.

Auto assessment can be customized to your preferences, however if you’re unsure of what the best option is; we recommend the following auto assessment setup:

This configuration will ignore low score vulnerabilities that typically will not impact your security while critical vulnerabilities are immediately blocked for download.

Medium score vulnerabilities will be left unassessed in this case because these vulnerabilities should be reviewed by someone to determine if they are ignored, require caution, or—in rare cases—should be blocked. These medium score vulnerabilities do not typically require immediate action.

High score vulnerabilities are not blocked in this scenario—but should be treated with caution because they typically have a security flaw in a specific feature of the package, but may not be a feature that your application is leveraging.

Custom Vulnerability types

Creating and using custom vulnerability types can be very helpful when:

• You want different vulnerability expirations
• You want to tag vulnerabilities that may be treated or reviewed differently

For example: Let's say you want an auto assessment for high (7.0-8.9) to not block, but they require a critical review. To accomplish this, you could create a "Critical Review" assessment type that auto assesses when a high vulnerabilty is located. Then a security admin can filter these on the Vulnerabilities page in ProGet to do critical reviews.

Troubleshooting

Issue: The option to configure a vulnerability source or to select OSS index is missing.

This can be fixed by verifying the Sonatype extension is installed. From the ProGet home screen, click the gear icon in the top-right corner to navigate to Administration Overview and click on Extensions under Integrations & Extensibility.

Next, click on the Sonatype box under Available Extensions and proceed to install.

Isssue: Instead of having an option to create a vulnerability source you only see configure.

First, verify your vulnerability source exists under Administration Overview > Vulnerability Management > Vulnerability Source. If there is not already an OSS Index based vulnerability source there, create a new vulnerability source by clicking [Create Vulnerability Source].

Now, navigate to your feed > Manage Feed > Detection & Blocking and click on Configure Vulnerability Source. Select the vulnerability source you just created (or an existing one).

Isssue: My ProGet isn't scanning for vulnerabilities right away

By default, packages will be scanned by the vulnerability downloader at 2:00am every day, but in order to get your packages scanned immediately, we recommend manually running the vulnerability scanner now. Navigate to Scheduled Jobs > VulnerabilityDownloader by clicking on the gear icon in the top-right corner.

Alternatively, when you navigate to Reporting & SCA > Vulnerabilities for the first time, you will be prompted to Run Job Now.