Automatic Assesment not working?

Reply to Automatic Assesment not working? on Tue, 21 Apr 2026 13:27:51 GMT

jens.viebig_4541 — Tue, 21 Apr 2026 13:27:51 GMT

We have a Proget Enterprise trial instance and are soon buying a license (ProGet Version 2025.23 (Build 11) (Docker/ Linux))

I wanted to test/evaluate the "Automatic Assessment" functionality
There seems to be a missing link in my setup and the documentation
I have the default assessment types which specifies and automatic assessment rule of setting vulnerabilities with score 9.0 -> 10.0 as Blocked

Now i have setup a maven feed, and downloaded log4j-core 2.14.1 which has a known vulnerability with score 10.0
I would have expected proget to set the assessment automatically to "Blocked" and block the download but it is shown as Unassessed and can be downloaded!

What am I missing ?

Screenshot 2026-04-21 145157.png

Reply to Automatic Assesment not working? on Tue, 21 Apr 2026 21:29:05 GMT

Dan_Woolf — Tue, 21 Apr 2026 21:29:05 GMT

Hi @jens-viebig_4541,

This is because you have not downloaded any versions of log4j-core as of yet. Once at least one version is downloaded, it will become auto-assessed after the next vulnerability database update. This situation is something that is being addressed with the upcoming release of ProGet 2026.

Thanks,
Dan

Reply to Automatic Assesment not working? on Wed, 22 Apr 2026 06:51:01 GMT

jens.viebig_4541 — Wed, 22 Apr 2026 06:51:01 GMT

Hi,
i had already downloaded log4j-core with the "bad" version. I would have expected this to be an immediate action but as you described it is tied to a scheduled job triggered by vulnerability update.

Looking at the feed and packages today shows me that the auto assessment of all the downloaded packages was done overnight.

But does this mean the auto-blocking will never work the first time a package is downloaded? The auto blocking will always only kick in after the next vulnerability update ??

I hope that logic does not apply to the malicious package blocking as well...