Are Chocolatey feeds included in the vulnerability scanning in the new ProGet 2024 (currently running 2024.2)?
I pulled a sample package (.NET Core 8.0.1, package name 'dotnet'). This has some CVEs listed against it (e.g. https://www.cve.org/CVERecord?id=CVE-2024-21392), but ProGet shows 'None' under vulnerabilities.
Is this the intended behaviour or am I missing something in my configuration for this to work?