HOWTO: Scan & Block Packages with OSS Index
  • 12 Feb 2023
  • 5 Minutes to read
  • Dark
    Light
  • PDF

HOWTO: Scan & Block Packages with OSS Index

  • Dark
    Light
  • PDF

Article Summary

ProGet’s integrated vulnerability scanning allows you to effortlessly assess package vulnerabilities by setting up customized auto-assessment rules.

Open-source packages come with security risks that should not be ignored but checking and assessing every vulnerability is impractical. ProGet can automatically block, allow, or flag packages based on the severity level that you set.

This article will walk through how to configure ProGet to scan for vulnerabilities and block packages.

Step 1: Create or login into your OSS Index Account

ProGet uses Sonatype OSS Index to scan for package vulnerabilities, so—in order to begin—you will need to create or login into your OSS index account.

Sonatype OSS Index Sign In Page

Step 2: Locate your API token

After logging in, navigate to user settings and locate your API token.

User Settings Page With API Token

You will need this API key in the next step, so make sure to copy or write it down.

Step 3: Configure your feed’s vulnerability source

In ProGet, navigate to Reporting & SCA > Vulnerabilities.

Reporting & SCA > Vulnerabilities

After clicking on OSS index, fill out the relevant fields. Make sure to use the API key you located in Step 2.

Create Vulnerability Source in ProGet

Manually Run the Vulnerability Scanner

By default, packages will be scanned by the vulnerability downloader at 2:00am every day, but in order to get your packages scanned immediately, we recommend manually running the vulnerability scanner now. Navigate to Scheduled Jobs > VulnerabilityDownloader by clicking on the gear icon in the top-right corner.

Scheduled Jobs

Then, click on green play button.

proget-manually-run-vulnerability.png

You can adjust the frequency of the job, but we don’t recommend doing so because Sonatype OSS Index is rate limited.

During the scan, your packages will be inspected for vulnerabilities against Sonatype OSS Index database. A live action log output will be displayed when the scan is completed. This log can also help with debugging and diagnosis.

Step 4: Assess Package Vulnerabilities

View Package Vulnerabilities

After running the vulnerability scanner, you will be able to navigate to your package of interest and click on the vulnerabilities tab. From here you can click on the vulnerabilities found in your package to get more details and decide how to assess them.

jQuery Package Vulnerabilities

Assess Package Vulnerabilities

ProGet comes with three built-in assessment types:

  • Ignore: Indicates that the vulnerability report is not applicable or irrelevant and therefore allows for packages to be downloaded
  • Caution: Tells developers to be careful to avoid the located vulnerability; packages may be downloaded, but a warning is issued on the web UI
  • Blocked: Means a vulnerability is too severe to allow use, and packages are prevented from being downloaded

Assess Package Vulnerability

You can either click on each vulnerability and assess them individually, bulk edit, or auto assess. We recommend using the auto assess feature so you can automate as much of the process as possible. The next step will show how to customize auto assessment and best practices.

Step 5: Customize Vulnerability Assessment

Auto Assessment

We recommend using auto assessment in combination with a package approval workflow.

You can edit or create your own assessment type and set up auto assessment by clicking on the gear icon in the top-right corner. From here, navigate to Assessment Types under Vulnerability Management.

ProGet Assessment Type Setting

By default, the assessment types of Caution, Blocked, and Ignore will be presented but they will not become automated unless the Auto Assess (CVS) is changed from Do Not Auto Assess to a specified range.

Create Assessment Type

Auto assessment can be customized to your preferences, however if you’re unsure of what the best option is; we recommend the following auto assessment setup:

Assessment TypeAuto assess (CVSS)Expiration
IgnoreLow (0.1-3.9)90 days
CautionHigh (7.0-8.9)30 days
BlockedCritical (9.0-10.0)30 days

This configuration will ignore low score vulnerabilities that typically will not impact your security while critical vulnerabilities are immediately blocked for download.

Medium score vulnerabilities will be left unassessed in this case because these vulnerabilities should be reviewed by someone to determine if they are ignored, require caution, or—in rare cases—should be blocked. These medium score vulnerabilities do not typically require immediate action.

High score vulnerabilities are not blocked in this scenario—but should be treated with caution because they typically have a security flaw in a specific feature of the package, but may not be a feature that your application is leveraging.

Note Regarding Existing Vulnerabilities

Existing vulnerabilities that were already downloaded to ProGet will not be auto assessed. After auto assess is configured only new vulnerabilities will be auto assessed.

Custom Vulnerability types

Creating and using custom vulnerability types can be very helpful when:

  • You want different vulnerability expirations
  • You want to tag vulnerabilities that may be treated or reviewed differently

For example: Let's say you want an auto assessment for high (7.0-8.9) to not block, but they require a critical review. To accomplish this, you could create a "Critical Review" assessment type that auto assesses when a high vulnerabilty is located. Then a security admin can filter these on the Vulnerabilities page in ProGet to do critical reviews.

Critical Review Custom Assessment Type

Troubleshooting

Issue: The option to configure a vulnerability source or to select OSS index is missing.

This can be fixed by verifying the Sonatype extension is installed. From the ProGet home screen, click the gear icon in the top-right corner to navigate to Administration Overview and click on Extensions under Integrations & Extensibility.

Administration Overview

Next, click on the Sonatype box under Available Extensions and proceed to install.

Sonatype extension

Isssue: Instead of having an option to create a vulnerability source you only see configure.

First, verify your vulnerability source exists under Administration Overview > Vulnerability Management > Vulnerability Source. If there is not already an OSS Index based vulnerability source there, create a new vulnerability source by clicking [Create Vulnerability Source].

Create Vulnerability Source in ProGet

If you do not have the option to create a new vulnerability source, please verify your Sonatype extension is installed.

Now, navigate to your feed > Manage Feed > Detection & Blocking and click on Configure Vulnerability Source. Select the vulnerability source you just created (or an existing one).

Configure Vulnerability Source in ProGet

Isssue: My ProGet isn't scanning for vulnerabilities right away

By default, packages will be scanned by the vulnerability downloader at 2:00am every day, but in order to get your packages scanned immediately, we recommend manually running the vulnerability scanner now. Navigate to Scheduled Jobs > VulnerabilityDownloader by clicking on the gear icon in the top-right corner.

Alternatively, when you navigate to Reporting & SCA > Vulnerabilities for the first time, you will be prompted to Run Job Now.

First-time scan


Was this article helpful?