Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    About trigger for assessment of existing vulnerability once current assessment is expired or new vulnerability.

    Scheduled Pinned Locked Moved Support
    proget
    2 Posts 2 Posters 9 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      shihui0304_6759
      last edited by

      hi,

      I read the document and get this: "All newly entered or imported vulnerability reports are considered unassessed, which means that packages matching the vulnerability will be blocked until the report is assessed. An assessment involves an authorized user reviewing the report, choosing an assessment type (Ignore, Caution, Block), and leaving an optional comment.

      Depending on the assessment type, the assessment may expire; this means that, unless it's reassessed, the vulnerability report will be considered unassessed after expiry.

      This can be useful to temporarily allow a package, or to review usage of packages after a certain amount of time. "

      But,

      1. It seems that package download could be downloaded if a new vulnerability for that package is discovered and no assessment is done yet.
      2. About trigger for assessment of existing vulnerability once current assessment is expired or new vulnerability. I didn’t see a way to configure any notification here. The report's Assessment was not unassessed after expiry.

      Why is that?

      Product: ProGet
      Version: 5.0.13

      1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer
        last edited by

        Good questions;

        1. You can configure ProGet to block packages with "unassessed" vulnerabilities; this is not the default configuration because a lot of times vulnerabilities are discovered after you've already been using a package anyways

        2. That's true, but maybe we could expand webhooks? I'm not sure, but it seems like it could be a feature request if it's something you'd actually want to use, etc.

        1 Reply Last reply Reply Quote 0

        Hello! It looks like you're interested in this conversation, but you don't have an account yet.

        Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

        With your input, this post could be even better 💗

        Register Login
        • 1 / 1
        • First post
          Last post
        Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation