Question About Vulnerability Assessment Expiry Behavior in ProGet

Hi,
I have a question about vulnerability assessment in ProGet. When I manually assess a vulnerability, it gets marked as Unassessed after the expiration date, displaying a message like:

"The vulnerability assessment expired on 4/2/2025 8:00 PM, which means this will be treated as an unassessed vulnerability."

So, when I manually reassess a vulnerability at the feed level (by defining the scope as the feed policy), it becomes Unassessed after expiry. According to the feed policy, Unassessed vulnerabilities should be Noncompliant and blocked. However, per the global policy, Unassessed is considered Compliant, allowing the package with the vulnerability to be downloaded—even though the feed policy should block it.

Note that other packages with Unassessed vulnerabilities cannot be downloaded from the feed, but the one that became Unassessed after the assessment expiration remains downloadable within the same feed.

Is this the expected behavior? How can we ensure that after a vulnerability expires and becomes Unassessed, it follows the feed-level policy instead of the global policy?

I have also reviewed the documentation here: https://docs.inedo.com/docs/proget/sca/vulnerabilities.

Thanks in advance!

@atripp Thanks so much for the information

@atripp
Please note that local connectors are fine, public connectors to nuget.org are deleted.

@atripp
Thanks for replying.
Yes, the connector is no longer in the connectors of the feed. It's totally removed and I can not find any log or job related to the removal.

Whenever we add a public connector (https://api.nuget.org/v3/index.json) to a feed, it works fine for few hours and then it disappears after some time (usually within a day).
I've checked all the Diagnostic Center logs, jobs, event logs and executions but haven’t found any clues so far.
Can anyone help with this issue?