Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Automatic Assesment not working?
-
We have a Proget Enterprise trial instance and are soon buying a license (ProGet Version 2025.23 (Build 11) (Docker/ Linux))
I wanted to test/evaluate the "Automatic Assessment" functionality
There seems to be a missing link in my setup and the documentation
I have the default assessment types which specifies and automatic assessment rule of setting vulnerabilities with score 9.0 -> 10.0 as BlockedNow i have setup a maven feed, and downloaded log4j-core 2.14.1 which has a known vulnerability with score 10.0
I would have expected proget to set the assessment automatically to "Blocked" and block the download but it is shown as Unassessed and can be downloaded!What am I missing ?
-
This is because you have not downloaded any versions of log4j-core as of yet. Once at least one version is downloaded, it will become auto-assessed after the next vulnerability database update. This situation is something that is being addressed with the upcoming release of ProGet 2026.
Thanks,
Dan
-
Hi,
i had already downloaded log4j-core with the "bad" version. I would have expected this to be an immediate action but as you described it is tied to a scheduled job triggered by vulnerability update.Looking at the feed and packages today shows me that the auto assessment of all the downloaded packages was done overnight.
But does this mean the auto-blocking will never work the first time a package is downloaded? The auto blocking will always only kick in after the next vulnerability update ??
I hope that logic does not apply to the malicious package blocking as well...
