1. Home
  2. Categories
  3. Support
  4. Question About Vulnerability Assessment Expiry Behavior in ProGet

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Question About Vulnerability Assessment Expiry Behavior in ProGet

  • P

    Hi,
    I have a question about vulnerability assessment in ProGet. When I manually assess a vulnerability, it gets marked as Unassessed after the expiration date, displaying a message like:

    "The vulnerability assessment expired on 4/2/2025 8:00 PM, which means this will be treated as an unassessed vulnerability."

    So, when I manually reassess a vulnerability at the feed level (by defining the scope as the feed policy), it becomes Unassessed after expiry. According to the feed policy, Unassessed vulnerabilities should be Noncompliant and blocked. However, per the global policy, Unassessed is considered Compliant, allowing the package with the vulnerability to be downloaded—even though the feed policy should block it.

    Note that other packages with Unassessed vulnerabilities cannot be downloaded from the feed, but the one that became Unassessed after the assessment expiration remains downloadable within the same feed.

    Is this the expected behavior? How can we ensure that after a vulnerability expires and becomes Unassessed, it follows the feed-level policy instead of the global policy?

    I have also reviewed the documentation here: https://docs.inedo.com/docs/proget/sca/vulnerabilities.

    Thanks in advance!

    0 atripp 1 Reply
    Log in to reply
     
  • atripp
    inedo-engineer

    Hi @pooyan-zamanian_1706,

    Sorry on the slow reply, I tried to quickly reproduce it but it worked as expected -- but I must have done something wrong. Then I realized we can just ask for your analysis logs.

    On this particular package, can you do a "Re-Analyze" (in the drop-down button) and then share the logs from that? That will help us identify exactly what's going on.

    But overall you are correct... once an assessment expires, it should be treated as if it were unassessed, which in your caase, would mean a noncompliant / blocked package.

    Thanks,
    Alana

    0 P 1 Reply
  • P

    @atripp Thanks for getting back to me.

    This is the Re-analyze log for the affected package:

    "Package "pkg:nuget/System.Text.Encodings.Web@4.5.0" will analyzed with local data
    Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
    Attempting to update local package with remote metadata...
    No Remote Metadata Provider was found for "https://api.nuget.org/v3/index.json"
    Detecting licenses for "pkg:nuget/System.Text.Encodings.Web@4.5.0"...
    Found 0 licenses:
    Detecting vulnerabilities for "System.Text.Encodings.Web" version "4.5.0"...
    Found 1 vulnerabilities.
    Searching policies associated with feed "v_External"...
    Found 2 policies to use for analysis.
    Policies rules will be applied in following order: Global, v_External
    Beginning license rule analysis...
    Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
    No licenses detected on package; applying undectableLicense rule (Warn)
    License rule analysis complete.
    Package has 1 vulnerabilities.
    Beginning vulnerability rule analysis...
    Checking PGV-2129406 against rules...
    No vulnerability rule specified; applying default rule (Warn) for severity.
    Vulnerability assessment rule analysis complete.
    No policies define a latest patch, so latest patch will not be checked."

    However, under PGV-2129406, it says that Vulnerability Assessment Expired: The vulnerability assessment expired on 4/2/2025 8:00 PM, which means this will be treated as an unassessed vulnerability.

    And per the v_External policy, Unassessed is Noncompliant.

    Should we hold off on the package for a week to allow the rule analysis to take effect? We have another package in the same state that was manually assessed some time ago, but it's now unassessed and, as expected, not downloadable. ("The vulnerability assessment expired on 3/27/2025 8:00 PM, which means this will be treated as an unassesed vulnerability.")

    Please see the Re-analyze log for the other package:
    "Package "pkg:nuget/Refit@7.2.1" will analyzed with remote metadata
    Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
    Detecting licenses for "pkg:nuget/Refit@7.2.1"...
    Found 1 licenses: MIT
    Detecting vulnerabilities for "Refit" version "7.2.1"...
    Found 1 vulnerabilities.
    Searching policies associated with feed "v_External"...
    Found 2 policies to use for analysis.
    Policies rules will be applied in following order: Global, v_External
    Beginning license rule analysis...
    Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
    Checking MIT against rules...
    No matching license rules; applying unspecifiedLicense rule (Compliant)
    License rule analysis complete.
    Package has 1 vulnerabilities.
    Beginning vulnerability rule analysis...
    Checking PGV-2481821 against rules...
    Policy "v_External" considers Unassessed Noncompliant
    Vulnerability assessment rule analysis complete.
    No policies define a latest patch, so latest patch will not be checked."

    0
  • rhessinger
    inedo-engineer

    Hi @pooyan-zamanian_1706,

    Thanks for sending this over to us. Just wanted to check, does the PGV-2129406 vulnerability have only a single assessment or is there an overridden assessment for that feed on that vulnerability? Also, are both of these packages in the same feed?

    The log gives us a good starting point to attempt to recreate it, but I just wanted to make sure I have the base conditions set to recreate it.

    Thanks,
    Rich

    0 P 1 Reply
  • P

    @rhessinger Thanks.

    This the information for PGV-2129406

    Assessment:
    High-Critical by System on 4/2/2025 1:00:01 AM
    Caution (for policy: Verified_External) by USER on 4/2/2025 9:11:37 AM
    Expiration
    Caution (Policy) expires on 4/2/2025 8:00:00 PM

    Both packages are in the same feed and in the feed policy, Unassessed is Noncompliant.

    0
  • rhessinger
    inedo-engineer

    Hi @pooyan-zamanian_1706,

    Thanks for the additional information. This will take me a bit of time to work through. I should have an update for you tomorrow.

    Thanks,
    Rich

    0
  • rhessinger
    inedo-engineer

    Hi @pooyan-zamanian_1706,

    I was able to recreate this issue and have created a new ticket, PG-2946, to track the fix. This should be released in the next maintenance release of ProGet 2024.33. If any thing changes, I will let you know.

    Thanks,
    Rich

    0 P 1 Reply
  • P

    @rhessinger
    Thank you!
    Do you know what the timeline is for the release of ProGet 2024.33?

    0
  • rhessinger
    inedo-engineer

    Hi @pooyan-zamanian_1706,

    Sure thing! ProGet 2024.33 is scheduled to release on April 18th. If you need something earlier, we can create a pre-release build as soon as the fix is ready (it's currently going through testing at the moment).

    Thanks,
    Rich

    0 P 1 Reply
  • P

    @rhessinger
    Cool, thanks for the information.
    April 18th is great.

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation