RE: Question About Vulnerability Assessment Expiry Behavior in ProGet

@rhessinger
Cool, thanks for the information.
April 18th is great.

@rhessinger
Thank you!
Do you know what the timeline is for the release of ProGet 2024.33?

@rhessinger Thanks.

This the information for PGV-2129406

Assessment:
High-Critical by System on 4/2/2025 1:00:01 AM
Caution (for policy: Verified_External) by USER on 4/2/2025 9:11:37 AM
Expiration
Caution (Policy) expires on 4/2/2025 8:00:00 PM

Both packages are in the same feed and in the feed policy, Unassessed is Noncompliant.

@atripp Thanks for getting back to me.

This is the Re-analyze log for the affected package:

"Package "pkg:nuget/System.Text.Encodings.Web@4.5.0" will analyzed with local data
Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
Attempting to update local package with remote metadata...
No Remote Metadata Provider was found for "https://api.nuget.org/v3/index.json"
Detecting licenses for "pkg:nuget/System.Text.Encodings.Web@4.5.0"...
Found 0 licenses:
Detecting vulnerabilities for "System.Text.Encodings.Web" version "4.5.0"...
Found 1 vulnerabilities.
Searching policies associated with feed "v_External"...
Found 2 policies to use for analysis.
Policies rules will be applied in following order: Global, v_External
Beginning license rule analysis...
Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
No licenses detected on package; applying undectableLicense rule (Warn)
License rule analysis complete.
Package has 1 vulnerabilities.
Beginning vulnerability rule analysis...
Checking PGV-2129406 against rules...
No vulnerability rule specified; applying default rule (Warn) for severity.
Vulnerability assessment rule analysis complete.
No policies define a latest patch, so latest patch will not be checked."

However, under PGV-2129406, it says that Vulnerability Assessment Expired: The vulnerability assessment expired on 4/2/2025 8:00 PM, which means this will be treated as an unassessed vulnerability.

And per the v_External policy, Unassessed is Noncompliant.

Should we hold off on the package for a week to allow the rule analysis to take effect? We have another package in the same state that was manually assessed some time ago, but it's now unassessed and, as expected, not downloadable. ("The vulnerability assessment expired on 3/27/2025 8:00 PM, which means this will be treated as an unassesed vulnerability.")

Please see the Re-analyze log for the other package:
"Package "pkg:nuget/Refit@7.2.1" will analyzed with remote metadata
Package originates from package gallery (https://api.nuget.org/v3/index.json); remote metadata will be used to determine latest patch version instead of local feed.
Detecting licenses for "pkg:nuget/Refit@7.2.1"...
Found 1 licenses: MIT
Detecting vulnerabilities for "Refit" version "7.2.1"...
Found 1 vulnerabilities.
Searching policies associated with feed "v_External"...
Found 2 policies to use for analysis.
Policies rules will be applied in following order: Global, v_External
Beginning license rule analysis...
Default rules: undectableLicense=Warn, unspecifiedLicense=Compliant
Checking MIT against rules...
No matching license rules; applying unspecifiedLicense rule (Compliant)
License rule analysis complete.
Package has 1 vulnerabilities.
Beginning vulnerability rule analysis...
Checking PGV-2481821 against rules...
Policy "v_External" considers Unassessed Noncompliant
Vulnerability assessment rule analysis complete.
No policies define a latest patch, so latest patch will not be checked."

Hi,
I have a question about vulnerability assessment in ProGet. When I manually assess a vulnerability, it gets marked as Unassessed after the expiration date, displaying a message like:

"The vulnerability assessment expired on 4/2/2025 8:00 PM, which means this will be treated as an unassessed vulnerability."

So, when I manually reassess a vulnerability at the feed level (by defining the scope as the feed policy), it becomes Unassessed after expiry. According to the feed policy, Unassessed vulnerabilities should be Noncompliant and blocked. However, per the global policy, Unassessed is considered Compliant, allowing the package with the vulnerability to be downloaded—even though the feed policy should block it.

Note that other packages with Unassessed vulnerabilities cannot be downloaded from the feed, but the one that became Unassessed after the assessment expiration remains downloadable within the same feed.

Is this the expected behavior? How can we ensure that after a vulnerability expires and becomes Unassessed, it follows the feed-level policy instead of the global policy?

I have also reviewed the documentation here: https://docs.inedo.com/docs/proget/sca/vulnerabilities.

Thanks in advance!

@atripp Thanks so much for the information

@atripp
Please note that local connectors are fine, public connectors to nuget.org are deleted.

@atripp
Thanks for replying.
Yes, the connector is no longer in the connectors of the feed. It's totally removed and I can not find any log or job related to the removal.

Whenever we add a public connector (https://api.nuget.org/v3/index.json) to a feed, it works fine for few hours and then it disappears after some time (usually within a day).
I've checked all the Diagnostic Center logs, jobs, event logs and executions but haven’t found any clues so far.
Can anyone help with this issue?