We’ve made a lot of improvements to Vulnerability Scanning in ProGet 2022. Not only is it simpler to configure, but it’s integrated with the new Software Composition Analysis (SCA) features. This will let you see which of your application releases (in production or in flight) are impacted by vulnerabilities from the packages they use.

If you’re not already scanning your open-source packages for vulnerabilities, now’s a great time to get started. And it’s pretty easy with ProGet 2022.

In this article, we’ll explain why you should care about open-source vulnerabilities, how ProGet helps, and how you can start using Vulnerability Scanning with Software Composition Analysis.

Open-source Vulnerabilities are Everywhere

Open-source packages – i.e. the libraries you can find on NuGet.org, npmjs.org, PyP.org, etc. – can be a minefield. In Python, nearly 150 vulnerabilities were found in over 40% of packages in PyPI.

We all know about Java’s high-severity Log4Shell vulnerability, but other vulnerabilities can be just as harmful. For example, WinSCPHelper 1.0.13 allows remote attackers to execute arbitrary programs when the URL handler encounters a specially-crafted URL.

Vulnerabilities are everywhere, and it’s hard to avoid them. But that’s okay – you don’t need to stress about every vulnerability in every package your team is using. Even “critical” vulnerabilities are often practically impossible to exploit, especially if your application isn’t that impacted code.

Instead of trying to avoid vulnerabilities, you need to assess them:

• Does this vulnerability impact our applications? 
• Should we upgrade the package?
• Should we work around the vulnerability?

This is where ProGet can help.

ProGet can automatically scan the third-party, open-source packages and container images that you’re using for vulnerabilities, and allow you to assess the risk that they may pose. This enables you to:

• Block packages or container images that you deem too risky to use
• Warn users of vulnerabilities that they should be careful with
• Identify which of your Projects and Releases are impacted by vulnerabilities
• Alert you when new vulnerabilities are discovered

Here’s how you can get started.

Step 1: Integrate ProGet with OSS-Index

ProGet works with leading vulnerability data providers that aggregate vulnerability records from databases like the National Vulnerability Database. These data providers are called “vulnerability sources”, and after configuring them to scan your feeds, ProGet will routinely download vulnerability records that relate to your packages and container images.

To configure vulnerability sources, navigate to Reporting & SCA > Vulnerabilities:

There are currently two vulnerability sources in ProGet:

• OSS Index is a free service that catalogs open-source packages and identifies vulnerabilities
• Clair is a free, self-managed tool that scans for vulnerabilities in your container images.

We may add additional vulnerability sources later from other vendors. Some users have created their own vulnerability sources using the Inedo SDK.

Once you’ve configured this, ProGet will automatically scan your packages nightly.

Step 2: Run your first vulnerability Scan

Although ProGet will download vulnerabilities on a nightly basis, you may wish to scan your packages right away.

You can do this by navigating to Administration -> Scheduled Jobs page. Then click the green play button to the right of the VulnerabilityDownloader  task.

Step 3: Assess Vulnerabilities

Once ProGet has detected vulnerabilities, you’ll want to assess how those vulnerabilities will impact your organization. To help with this, ProGet has three built-in assessment types:

• Ignore indicates that the vulnerability report is not applicable or irrelevant and therefore allows for packages to be downloaded
• Caution tells developers to be careful to avoid the vulnerability; packages may be downloaded, but a warning is issued on the web UI
• Blocked means a vulnerability is too severe to allow the use, and packages are prevented from being downloaded

You can edit or create your own assessment type by going to Admin > Assessment Types, and specifying a name, expiration (days), color, whether or not packages would be blocked, and an auto-assessment range.

Automatic Assessment

ProGet can automatically assess new vulnerabilities based on a vulnerability’s CVE Score. You can configure this by simply creating or editing the auto-assessment range on an assessment type.

Step 4: Integrate ProGet into your CI/CD pipeline

To learn which of your Projects and Releases are impacted by these vulnerabilities, you can integrate ProGet into your CI/CD pipeline.

This will let ProGet track the open-source and third-party components (packages) that your organization uses, and help you identify issues like vulnerabilities, license violations, and missing packages.

ProGet will routinely analyze your project’s active releases for new vulnerabilities or unwanted licenses in the packages it uses. When such a package is found, ProGet will create an “issue” on the release that you can resolve.

Step 5: Resolve issues

During the routine scan of active release, when vulnerabilities with one of the following assessment states are found, ProGet will create an “issue” on the release that you can resolve.

These issues can then be resolved in two ways:

• Automatically Resolved; the next time ProGet analyzes a release, if the issue is no longer present, then it will automatically be resolved
• Manually Resolved; a user can mark an issue as resolved after determining that the issue won’t impact the release

Next Steps: Upgrade and Explore

Upgrading to ProGet 2022 is easy. See Vulnerability Scanning and Blocking – Software Composition Analysis (SCA) for more guidance and instruction on how to secure your software supply chain from known vulnerabilities.