ProGet Documentation

Integrating ProGet with OSS Index

The OSS Index extension provides a Vulnerability Source that will automatically import vulnerability reports from various public databases using Sonatype's OSS Index.

Connecting to OSS Index

If you're not an OSS Index user, you'll need to make an account and request a trial license or purchase a professional license. This can be done by visiting > selecting the user icon in the top right corner > Register for an account.

Note: Sonatype recently acquired Vor Security; in ProGet v5.0 and earlier, OSS Index was Vor Security. If you were previously a Vor Security user, your account has been automatically migrated over to OSS Index.

Once logged into OSS Index you can copy the API token.

After retrieving the API token from OSS Index, set it as your Vulnerability Source in ProGet by going to Administration > Manage Vulnerability Sources > Create Vulnerability Source.

Create an Assessment

To create a new Assessment type go Administration > Manage Assessment Types > Create Assessment Type.

When a vulnerability is detected, it is automatically assigned to the unassessed type, and will require user assessment before being usable.

Feed Level Configuration

Vulnerability sources are scoped at the feed level and can be added on a feed-by-feed basis. Since Security and Access Controls are also scoped at the feed level, you are able to permit and restrict access to who is allowed to assess vulnerabilities.

Go to the feeds tab and select a feed to add the vulnerability source to. Then select Manage Feed > add source.

Once the source is added, any package vulnerabilities found will be labeled Unassessed, and will be available for assessment.

Assessing Vulnerabilities

After you've added a vulnerability source, any known vulnerabilities will be available for assessment. These are viewed by clicking the Vulnerabilities tab.

Select any of the vulnerabilities listed to view additional details, and assign an assessment status. Click assess to select a new assessment type.

Assessments can have a set expiration which will force reassessment. This ensures that compliance needs are continually addressed and that security standards are upheld as development continues.