HOWTO: Scan & Block Packages with OSS Index
  • 18 Jan 2022
  • 5 Minutes to read
  • Dark
    Light
  • PDF

HOWTO: Scan & Block Packages with OSS Index

  • Dark
    Light
  • PDF

ProGet’s integrated vulnerability scanning allows you to effortlessly assess package vulnerabilities by setting up customized auto-assessment rules.

Open source packages come with security risks that should not be ignored but checking and assessing every vulnerability is impractical. ProGet can automatically block, allow, or flag packages based on the severity level that you set.

This article will walk through how to configure ProGet to scan for vulnerabilities and block packages.

Step 1: Create or login into your OSS Index Account

ProGet uses Sonatype OSS Index to scan for package vulnerabilities, so you will need to create or login into your OSS index account.

Sonatype OSS Index Sign In Page

Step 2: Locate your API token

After logging in, navigate to user settings and locate your API token.

User Settings Page With API Token

You will need this API key in the next step, so make sure to copy or write it down.

Step 3: Configure your feed’s vulnerability source

In this guide we will be using a NuGet feed, but the same steps apply to any feed. From your feed navigate to Manage Feed.

Manage Feed in ProGet

Next navigate to Detection & Blocking and click on Configure Vulnerability Source.

Configure Vulnerability Source in ProGet

After clicking on OSS index fill out the relevant fields. Make sure to use the API key you located in Step 2.

Create Vulnerability Source in ProGet

Manually Run the Vulnerability Scanner

By default, packages will be scanned by the vulnerability downloader at 2:00AM every day, but in order to get your packages scanned immediately we recommend manually running the vulnerability scanner now. This can be done by navigating to Feed>Manage Feed> Detection & Blocking and clicking on Scheduled Job.

You can adjust the frequency of the job, but we don’t recommend doing so because Sonatype OSS Index will limit your rates.

Schedule Job In ProGet

Click on the green triangle next to Vulnerability Downloader to begin the scan.
Run Vulnerability Downloader

During the scan your packages will be inspected for vulnerabilities against Sona type OSS Index database and a live action log output will be displayed when the scan is completed. This log can also help with debugging & diagnosis.

Step 4: Assess Package Vulnerabilities

View Package Vulnerabilities

After running the vulnerability scanner, you will be able to navigate to your package of interest and click on the vulnerabilities tab. From here you can click on the vulnerabilities found in your package to get more details and decide how to assess them.

jQuery Package Vulnerabilities

Assess Package Vulnerabilities

ProGet comes with three built-in assessment types:

  • Ignore: Indicates that the vulnerability report is not applicable or irrelevant and therefore allows for packages to be downloaded
  • Caution: Tells developers to be careful to avoid the vulnerability; packages may be downloaded, but a warning is issued on the web UI
  • Blocked: Means a vulnerability is too severe to allow use, and packages are prevented from being downloaded

Assess Package Vulnerability

You can either click on each vulnerability and assess them individually, bulk edit, or auto assess. We recommend using the auto assess feature so you can automate as much of the process as possible. The next step will show how to customize auto assessment and best practices.

Step 5: Customize Vulnerability Assessment

Auto Assessment

We recommend using auto assessment in combination with a package approval workflow.

You can edit or create your own assessment type and setup auto assessment by clicking on the gear icon in the top right corner and navigating to Assessment Types under Vulnerability Management.

ProGet Assessment Type Setting

By default the assessment types of Caution, Blocked, and Ignore will be presented but they will not become automated unless the Auto Assess (CVS) is changed from Do Not Auto Assess to a specified range.

Create Assessment Type

Auto assessment can be customized to your preferences, however if you’re unsure of what the best option is we recommend the following auto assessment setup:

Assessment Type Auto assess (CVSS) Expiration
Ignore Low (0.1-3.9) 90 days
Caution High (7.0-8.9) 30 days
Blocked Critical (9.0-10.0) 30 days

This configuration will ignore low score vulnerabilities that typically will not impact your security while critical vulnerabilities are immediately blocked for download.

Medium score vulnerabilities will be left as unassessed in this case because these vulnerabilities should be reviewed by someone to determine if they are ignored, require caution, or in rare cases should be blocked, but do not typically require an immediate action.

High score vulnerabilities are not blocked in this scenario, but should be treated with caution because these typically have a security flaw in a specific feature of the package, but may not be a feature that your application is leveraging.

Note Regarding Existing Vulnerabilities

Existing vulnerabilities that were already downloaded to ProGet will not be auto assessed. After auto assess is configured only new vulnerabilities will be auto assessed.

Custom Vulnerability types

Creating and using custom vulnerability types can be very helpful when:

  • You want different vulnerability expirations
  • You want to tag vulnerabilities that may be treated or reviewed differently

For example: Let say you want an auto-assessment for High (7.0-8.9) to not block, but require a critical review. To accomplish this, you could create a "Critical Review" assessment type that auto-assesses when High. Then a security admin can filter these on the Vulnerabilities page in ProGet to do critical reviews.

Critical Review Custom Assessment Type

Troubleshooting

Issue: The option to configure a vulnerability source or to select OSS index is missing.

This can be fixed by verifying the Sonatype extension is installed. From the ProGet home screen, click the gear icon in the top right corner to navigate to Administration Overview and click on Extensions under Integrations & Extensibility.

Administration Overview

Next click on the Sonatype box under Available Extensions and proceed to install.

Sonatype extension

Isssue: Instead of having an option to create a vulnerability source you only see configure.

First, verify your vulnerability source exists under Administration Overview>Vulnerability Management>Vulnerability Source. If there is not already an OSS Index based vulnerability source there, create new vulnerability source by clicking [Create Vulnerability Source].

Create Vulnerability Source in ProGet

If you do not have the option to create a new vulnerability source, please verify your Sonatype extension is installed.

Then navigate to your feed > Manage Feed > Detection & Blocking and click on Configure Vulnerability Source. Select the vulnerability source you just created (or an existing one).

Configure Vulnerability Source in ProGet


Was this article helpful?