- 18 Jan 2022
- 5 Minutes to read
HOWTO: Scan & Block Packages with OSS Index
- Updated on 18 Jan 2022
- 5 Minutes to read
ProGet’s integrated vulnerability scanning allows you to effortlessly assess package vulnerabilities by setting up customized auto-assessment rules.
Open source packages come with security risks that should not be ignored but checking and assessing every vulnerability is impractical. ProGet can automatically block, allow, or flag packages based on the severity level that you set.
This article will walk through how to configure ProGet to scan for vulnerabilities and block packages.
Step 1: Create or login into your OSS Index Account
ProGet uses Sonatype OSS Index to scan for package vulnerabilities, so you will need to create or login into your OSS index account.
Step 2: Locate your API token
After logging in, navigate to user settings and locate your API token.
You will need this API key in the next step, so make sure to copy or write it down.
Step 3: Configure your feed’s vulnerability source
In this guide we will be using a NuGet feed, but the same steps apply to any feed. From your feed navigate to Manage Feed.
Next navigate to Detection & Blocking and click on Configure Vulnerability Source.
After clicking on OSS index fill out the relevant fields. Make sure to use the API key you located in Step 2.
Manually Run the Vulnerability Scanner
By default, packages will be scanned by the vulnerability downloader at 2:00AM every day, but in order to get your packages scanned immediately we recommend manually running the vulnerability scanner now. This can be done by navigating to Feed>Manage Feed> Detection & Blocking and clicking on Scheduled Job.
You can adjust the frequency of the job, but we don’t recommend doing so because Sonatype OSS Index will limit your rates.
Click on the green triangle next to Vulnerability Downloader to begin the scan.
During the scan your packages will be inspected for vulnerabilities against Sona type OSS Index database and a live action log output will be displayed when the scan is completed. This log can also help with debugging & diagnosis.
Step 4: Assess Package Vulnerabilities
View Package Vulnerabilities
After running the vulnerability scanner, you will be able to navigate to your package of interest and click on the vulnerabilities tab. From here you can click on the vulnerabilities found in your package to get more details and decide how to assess them.
Assess Package Vulnerabilities
ProGet comes with three built-in assessment types:
- Ignore: Indicates that the vulnerability report is not applicable or irrelevant and therefore allows for packages to be downloaded
- Caution: Tells developers to be careful to avoid the vulnerability; packages may be downloaded, but a warning is issued on the web UI
- Blocked: Means a vulnerability is too severe to allow use, and packages are prevented from being downloaded
You can either click on each vulnerability and assess them individually, bulk edit, or auto assess. We recommend using the auto assess feature so you can automate as much of the process as possible. The next step will show how to customize auto assessment and best practices.
Step 5: Customize Vulnerability Assessment
We recommend using auto assessment in combination with a package approval workflow.
You can edit or create your own assessment type and setup auto assessment by clicking on the gear icon in the top right corner and navigating to Assessment Types under Vulnerability Management.
By default the assessment types of Caution, Blocked, and Ignore will be presented but they will not become automated unless the Auto Assess (CVS) is changed from Do Not Auto Assess to a specified range.
Auto assessment can be customized to your preferences, however if you’re unsure of what the best option is we recommend the following auto assessment setup:
|Assessment Type||Auto assess (CVSS)||Expiration|
|Ignore||Low (0.1-3.9)||90 days|
|Caution||High (7.0-8.9)||30 days|
|Blocked||Critical (9.0-10.0)||30 days|
This configuration will ignore low score vulnerabilities that typically will not impact your security while critical vulnerabilities are immediately blocked for download.
Medium score vulnerabilities will be left as unassessed in this case because these vulnerabilities should be reviewed by someone to determine if they are ignored, require caution, or in rare cases should be blocked, but do not typically require an immediate action.
High score vulnerabilities are not blocked in this scenario, but should be treated with caution because these typically have a security flaw in a specific feature of the package, but may not be a feature that your application is leveraging.
Existing vulnerabilities that were already downloaded to ProGet will not be auto assessed. After auto assess is configured only new vulnerabilities will be auto assessed.
Custom Vulnerability types
Creating and using custom vulnerability types can be very helpful when:
- You want different vulnerability expirations
- You want to tag vulnerabilities that may be treated or reviewed differently
For example: Let say you want an auto-assessment for High (7.0-8.9) to not block, but require a critical review. To accomplish this, you could create a "Critical Review" assessment type that auto-assesses when High. Then a security admin can filter these on the Vulnerabilities page in ProGet to do critical reviews.
Issue: The option to configure a vulnerability source or to select OSS index is missing.
This can be fixed by verifying the Sonatype extension is installed. From the ProGet home screen, click the gear icon in the top right corner to navigate to Administration Overview and click on Extensions under Integrations & Extensibility.
Next click on the Sonatype box under Available Extensions and proceed to install.
Isssue: Instead of having an option to create a vulnerability source you only see configure.
First, verify your vulnerability source exists under Administration Overview>Vulnerability Management>Vulnerability Source. If there is not already an OSS Index based vulnerability source there, create new vulnerability source by clicking [Create Vulnerability Source].
If you do not have the option to create a new vulnerability source, please verify your Sonatype extension is installed.
Then navigate to your feed > Manage Feed > Detection & Blocking and click on Configure Vulnerability Source. Select the vulnerability source you just created (or an existing one).