Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Question About Vulnerability Assessment Expiry Behavior in ProGet

    Scheduled Pinned Locked Moved Support
    10 Posts 3 Posters 40 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pooyan.zamanian_1706
      last edited by

      Hi,
      I have a question about vulnerability assessment in ProGet. When I manually assess a vulnerability, it gets marked as Unassessed after the expiration date, displaying a message like:

      "The vulnerability assessment expired on 4/2/2025 8:00 PM, which means this will be treated as an unassessed vulnerability."

      So, when I manually reassess a vulnerability at the feed level (by defining the scope as the feed policy), it becomes Unassessed after expiry. According to the feed policy, Unassessed vulnerabilities should be Noncompliant and blocked. However, per the global policy, Unassessed is considered Compliant, allowing the package with the vulnerability to be downloaded—even though the feed policy should block it.

      Note that other packages with Unassessed vulnerabilities cannot be downloaded from the feed, but the one that became Unassessed after the assessment expiration remains downloadable within the same feed.

      Is this the expected behavior? How can we ensure that after a vulnerability expires and becomes Unassessed, it follows the feed-level policy instead of the global policy?

      I have also reviewed the documentation here: https://docs.inedo.com/docs/proget/sca/vulnerabilities.

      Thanks in advance!

      atrippA 1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer @pooyan.zamanian_1706
        last edited by

        Hi @pooyan-zamanian_1706,

        Sorry on the slow reply, I tried to quickly reproduce it but it worked as expected -- but I must have done something wrong. Then I realized we can just ask for your analysis logs.

        On this particular package, can you do a "Re-Analyze" (in the drop-down button) and then share the logs from that? That will help us identify exactly what's going on.

        But overall you are correct... once an assessment expires, it should be treated as if it were unassessed, which in your caase, would mean a noncompliant / blocked package.

        Thanks,
        Alana

        P 1 Reply Last reply Reply Quote 0
        • P Offline
          pooyan.zamanian_1706 @atripp
          last edited by

          @atripp Thanks for getting back to me.

          This is the Re-analyze log for the affected package:

          "Package "pkg:nuget/System.Text.Encodings.Web@4.5.0" will analyzed with local data
          Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
          Attempting to update local package with remote metadata...
          No Remote Metadata Provider was found for "https://api.nuget.org/v3/index.json"
          Detecting licenses for "pkg:nuget/System.Text.Encodings.Web@4.5.0"...
          Found 0 licenses:
          Detecting vulnerabilities for "System.Text.Encodings.Web" version "4.5.0"...
          Found 1 vulnerabilities.
          Searching policies associated with feed "v_External"...
          Found 2 policies to use for analysis.
          Policies rules will be applied in following order: Global, v_External
          Beginning license rule analysis...
          Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
          No licenses detected on package; applying undectableLicense rule (Warn)
          License rule analysis complete.
          Package has 1 vulnerabilities.
          Beginning vulnerability rule analysis...
          Checking PGV-2129406 against rules...
          No vulnerability rule specified; applying default rule (Warn) for severity.
          Vulnerability assessment rule analysis complete.
          No policies define a latest patch, so latest patch will not be checked."

          However, under PGV-2129406, it says that Vulnerability Assessment Expired: The vulnerability assessment expired on 4/2/2025 8:00 PM, which means this will be treated as an unassessed vulnerability.

          And per the v_External policy, Unassessed is Noncompliant.

          Should we hold off on the package for a week to allow the rule analysis to take effect? We have another package in the same state that was manually assessed some time ago, but it's now unassessed and, as expected, not downloadable. ("The vulnerability assessment expired on 3/27/2025 8:00 PM, which means this will be treated as an unassesed vulnerability.")

          Please see the Re-analyze log for the other package:
          "Package "pkg:nuget/Refit@7.2.1" will analyzed with remote metadata
          Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
          Detecting licenses for "pkg:nuget/Refit@7.2.1"...
          Found 1 licenses: MIT
          Detecting vulnerabilities for "Refit" version "7.2.1"...
          Found 1 vulnerabilities.
          Searching policies associated with feed "v_External"...
          Found 2 policies to use for analysis.
          Policies rules will be applied in following order: Global, v_External
          Beginning license rule analysis...
          Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
          Checking MIT against rules...
          No matching license rules; applying unspecifiedLicense rule (Compliant)
          License rule analysis complete.
          Package has 1 vulnerabilities.
          Beginning vulnerability rule analysis...
          Checking PGV-2481821 against rules...
          Policy "v_External" considers Unassessed Noncompliant
          Vulnerability assessment rule analysis complete.
          No policies define a latest patch, so latest patch will not be checked."

          1 Reply Last reply Reply Quote 0
          • rhessingerR Offline
            rhessinger inedo-engineer
            last edited by

            Hi @pooyan-zamanian_1706,

            Thanks for sending this over to us. Just wanted to check, does the PGV-2129406 vulnerability have only a single assessment or is there an overridden assessment for that feed on that vulnerability? Also, are both of these packages in the same feed?

            The log gives us a good starting point to attempt to recreate it, but I just wanted to make sure I have the base conditions set to recreate it.

            Thanks,
            Rich

            Products Engineer, Inedo

            P 1 Reply Last reply Reply Quote 0
            • P Offline
              pooyan.zamanian_1706 @rhessinger
              last edited by

              @rhessinger Thanks.

              This the information for PGV-2129406

              Assessment:
              High-Critical by System on 4/2/2025 1:00:01 AM
              Caution (for policy: Verified_External) by USER on 4/2/2025 9:11:37 AM
              Expiration
              Caution (Policy) expires on 4/2/2025 8:00:00 PM

              Both packages are in the same feed and in the feed policy, Unassessed is Noncompliant.

              1 Reply Last reply Reply Quote 0
              • rhessingerR Offline
                rhessinger inedo-engineer
                last edited by

                Hi @pooyan-zamanian_1706,

                Thanks for the additional information. This will take me a bit of time to work through. I should have an update for you tomorrow.

                Thanks,
                Rich

                Products Engineer, Inedo

                1 Reply Last reply Reply Quote 0
                • rhessingerR Offline
                  rhessinger inedo-engineer
                  last edited by

                  Hi @pooyan-zamanian_1706,

                  I was able to recreate this issue and have created a new ticket, PG-2946, to track the fix. This should be released in the next maintenance release of ProGet 2024.33. If any thing changes, I will let you know.

                  Thanks,
                  Rich

                  Products Engineer, Inedo

                  P 1 Reply Last reply Reply Quote 0
                  • P Offline
                    pooyan.zamanian_1706 @rhessinger
                    last edited by

                    @rhessinger
                    Thank you!
                    Do you know what the timeline is for the release of ProGet 2024.33?

                    1 Reply Last reply Reply Quote 0
                    • rhessingerR Offline
                      rhessinger inedo-engineer
                      last edited by

                      Hi @pooyan-zamanian_1706,

                      Sure thing! ProGet 2024.33 is scheduled to release on April 18th. If you need something earlier, we can create a pre-release build as soon as the fix is ready (it's currently going through testing at the moment).

                      Thanks,
                      Rich

                      Products Engineer, Inedo

                      P 1 Reply Last reply Reply Quote 0
                      • P Offline
                        pooyan.zamanian_1706 @rhessinger
                        last edited by

                        @rhessinger
                        Cool, thanks for the information.
                        April 18th is great.

                        1 Reply Last reply Reply Quote 0

                        Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                        Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                        With your input, this post could be even better đź’—

                        Register Login
                        • 1 / 1
                        • First post
                          Last post
                        Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation