Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    ProGet 2026.1 (PostgreSQL) — Two issues with vulnerability management

    Scheduled Pinned Locked Moved Support
    4 Posts 2 Posters 19 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      cssccmgroup_4090
      last edited by

      Environment:

      ProGet 2026.1
      PostgreSQL database
      Upgraded from 2025.27
      Issue 1: Custom assessment type creation fails with 500 error

      When attempting to create a custom assessment type using CVSS score ranges under Admin → Vulnerabilities & Assessment Types, ProGet returns a 500 error:

      42809: PgvdAssessmentTypes_CreateOrUpdateAssessmentType(character varying, integer, 
      character, integer, character varying, boolean, character varying, text, integer) 
      is not a procedure POSITION: 6
      

      Steps to reproduce:

      1. Go to Admin → Vulnerabilities & Assessment Types
      2. Click "Create Custom Assessment Type"
      3. Set Apply To = CVSS Score range
      4. Save

      Expected: Custom assessment type created successfully

      Actual: 500 error with PostgreSQL error 42809

      Issue 2: /api/sca/releases returns all build-level vulnerabilities on every package

      When calling GET /api/sca/releases?project=X&version=Y, the vulnerabilities array on each package contains all vulnerabilities from the entire build instead of only the ones that apply to that specific package.

      Example from our build (228 packages):

      The package @types/core-js@0.9.46 has this in the response:

      {
        "purl": "pkg:npm/%40types/core-js@0.9.46",
        "compliance": {
          "result": "Warn",
          "detail": "Vulnerability (PGV-2129406);Vulnerability (PGV-2220427);Vulnerability (PGV-22381DM)",
          "date": "2026-05-28T22:30:01.695805Z"
        },
        "vulnerabilities": [
          { "id": "PGV-262965T", "title": "uuid: Missing buffer bounds check..." },
          { "id": "PGV-2444748", "title": "ws affected by a DoS..." },
          { "id": "PGV-2031843", "title": "Potential XSS vulnerability in jQuery..." }
          // ... 80+ more entries, none of which are PGV-2129406, PGV-2220427, or PGV-22381DM
        ]
      }
      

      Both the vulnerabilities array and compliance.detail appear to return the same build-level data on every package. For example, @types/core-js@0.9.46 shows PGV-2129406, PGV-2220427, PGV-22381DM in its compliance.detail, but so does every other package in the build. Neither field reflects per-package vulnerability data.

      Every single package in the build has an identical vulnerabilities array with 80+ entries regardless of what actually applies to it.

      The UI Vulnerabilities tab shows the correct data — only 3 packages with Remediate issues. So the underlying data is correct, but the API response is not reflecting it accurately.

      This worked correctly in 2025.x where the vulnerabilities array contained only per-package vulnerabilities.

      Impact: Any script or integration using /api/sca/releases to generate per-package vulnerability reports produces incorrect output.

      1 Reply Last reply Reply Quote 0
      • Dan_WoolfD Offline
        Dan_Woolf inedo-engineer
        last edited by

        Hi @cssccmgroup_4090,

        Thanks for sending over this detail!

        For Issue 1: We were able to reproduce this and will have it fixed in PG-3292 in today's release of ProGet 2026.2.

        For Issue 2: We see the issue with the vulnerabilities array and will also have that fixed in today's release of ProGet 2026.2 (tacked in fix PG-3293). We are having some issues recreating the issue with the complainace.detail. Would you be able to send us an example SBOM file with this issue?

        Thanks,
        Dan

        1 Reply Last reply Reply Quote 0
        • C Offline
          cssccmgroup_4090
          last edited by

          Hi @Dan_Woolf,

          Thank you for the quick turnaround on both fixes.

          We would prefer not to share the SBOM here, as it contains our dependency list. Is there a way for me to share the SBOM directly with you instead of posting it here?

          1 Reply Last reply Reply Quote 0
          • Dan_WoolfD Offline
            Dan_Woolf inedo-engineer
            last edited by

            Hi @cssccmgroup_4090,

            I created a private ticket on your behalf. You can see it by navigating to https://my.inedo.com/tickets. Please upload the SBOM through that ticket.

            Thanks,
            Dan

            1 Reply Last reply Reply Quote 0

            Hello! It looks like you're interested in this conversation, but you don't have an account yet.

            Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

            With your input, this post could be even better 💗

            Register Login
            • 1 / 1
            • First post
              Last post
            Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation