Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
About trigger for assessment of existing vulnerability once current assessment is expired or new vulnerability.
-
hi,
I read the document and get this: "All newly entered or imported vulnerability reports are considered unassessed, which means that packages matching the vulnerability will be blocked until the report is assessed. An assessment involves an authorized user reviewing the report, choosing an assessment type (Ignore, Caution, Block), and leaving an optional comment.
Depending on the assessment type, the assessment may expire; this means that, unless it's reassessed, the vulnerability report will be considered unassessed after expiry.
This can be useful to temporarily allow a package, or to review usage of packages after a certain amount of time. "
But,
- It seems that package download could be downloaded if a new vulnerability for that package is discovered and no assessment is done yet.
- About trigger for assessment of existing vulnerability once current assessment is expired or new vulnerability. I didn’t see a way to configure any notification here. The report's Assessment was not unassessed after expiry.
Why is that?
Product: ProGet
Version: 5.0.13
-
Good questions;
-
You can configure ProGet to block packages with "unassessed" vulnerabilities; this is not the default configuration because a lot of times vulnerabilities are discovered after you've already been using a package anyways
-
That's true, but maybe we could expand webhooks? I'm not sure, but it seems like it could be a feature request if it's something you'd actually want to use, etc.
-
