Hi @Dan_Woolf,
Thank you for the quick turnaround on both fixes.
We would prefer not to share the SBOM here, as it contains our dependency list. Is there a way for me to share the SBOM directly with you instead of posting it here?
C
cssccmgroup_4090
@cssccmgroup_4090
0
Reputation
2
Posts
1
Profile views
0
Followers
0
Following
Best posts made by cssccmgroup_4090
This user hasn't posted anything yet.
Latest posts made by cssccmgroup_4090
-
RE: ProGet 2026.1 (PostgreSQL) — Two issues with vulnerability managementposted in Support
-
ProGet 2026.1 (PostgreSQL) — Two issues with vulnerability managementposted in Support
Environment:
ProGet 2026.1
PostgreSQL database
Upgraded from 2025.27
Issue 1: Custom assessment type creation fails with 500 errorWhen attempting to create a custom assessment type using CVSS score ranges under Admin → Vulnerabilities & Assessment Types, ProGet returns a 500 error:
42809: PgvdAssessmentTypes_CreateOrUpdateAssessmentType(character varying, integer, character, integer, character varying, boolean, character varying, text, integer) is not a procedure POSITION: 6Steps to reproduce:
- Go to Admin → Vulnerabilities & Assessment Types
- Click "Create Custom Assessment Type"
- Set Apply To = CVSS Score range
- Save
Expected: Custom assessment type created successfully
Actual: 500 error with PostgreSQL error 42809
Issue 2: /api/sca/releases returns all build-level vulnerabilities on every package
When calling GET /api/sca/releases?project=X&version=Y, the vulnerabilities array on each package contains all vulnerabilities from the entire build instead of only the ones that apply to that specific package.
Example from our build (228 packages):
The package @types/core-js@0.9.46 has this in the response:
{ "purl": "pkg:npm/%40types/core-js@0.9.46", "compliance": { "result": "Warn", "detail": "Vulnerability (PGV-2129406);Vulnerability (PGV-2220427);Vulnerability (PGV-22381DM)", "date": "2026-05-28T22:30:01.695805Z" }, "vulnerabilities": [ { "id": "PGV-262965T", "title": "uuid: Missing buffer bounds check..." }, { "id": "PGV-2444748", "title": "ws affected by a DoS..." }, { "id": "PGV-2031843", "title": "Potential XSS vulnerability in jQuery..." } // ... 80+ more entries, none of which are PGV-2129406, PGV-2220427, or PGV-22381DM ] }Both the vulnerabilities array and compliance.detail appear to return the same build-level data on every package. For example, @types/core-js@0.9.46 shows PGV-2129406, PGV-2220427, PGV-22381DM in its compliance.detail, but so does every other package in the build. Neither field reflects per-package vulnerability data.
Every single package in the build has an identical vulnerabilities array with 80+ entries regardless of what actually applies to it.
The UI Vulnerabilities tab shows the correct data — only 3 packages with Remediate issues. So the underlying data is correct, but the API response is not reflecting it accurately.
This worked correctly in 2025.x where the vulnerabilities array contained only per-package vulnerabilities.
Impact: Any script or integration using /api/sca/releases to generate per-package vulnerability reports produces incorrect output.