RE: ProGet 2026.1 (PostgreSQL) — Two issues with vulnerability management

Hi @Dan_Woolf,

Thank you for the quick turnaround on both fixes.

We would prefer not to share the SBOM here, as it contains our dependency list. Is there a way for me to share the SBOM directly with you instead of posting it here?

Environment:

ProGet 2026.1
PostgreSQL database
Upgraded from 2025.27
Issue 1: Custom assessment type creation fails with 500 error

When attempting to create a custom assessment type using CVSS score ranges under Admin → Vulnerabilities & Assessment Types, ProGet returns a 500 error:

42809: PgvdAssessmentTypes_CreateOrUpdateAssessmentType(character varying, integer, 
character, integer, character varying, boolean, character varying, text, integer) 
is not a procedure POSITION: 6

Steps to reproduce:

1. Go to Admin → Vulnerabilities & Assessment Types
2. Click "Create Custom Assessment Type"
3. Set Apply To = CVSS Score range
4. Save

Expected: Custom assessment type created successfully

Actual: 500 error with PostgreSQL error 42809

Issue 2: /api/sca/releases returns all build-level vulnerabilities on every package

When calling GET /api/sca/releases?project=X&version=Y, the vulnerabilities array on each package contains all vulnerabilities from the entire build instead of only the ones that apply to that specific package.

Example from our build (228 packages):

The package @types/core-js@0.9.46 has this in the response:

{
  "purl": "pkg:npm/%40types/core-js@0.9.46",
  "compliance": {
    "result": "Warn",
    "detail": "Vulnerability (PGV-2129406);Vulnerability (PGV-2220427);Vulnerability (PGV-22381DM)",
    "date": "2026-05-28T22:30:01.695805Z"
  },
  "vulnerabilities": [
    { "id": "PGV-262965T", "title": "uuid: Missing buffer bounds check..." },
    { "id": "PGV-2444748", "title": "ws affected by a DoS..." },
    { "id": "PGV-2031843", "title": "Potential XSS vulnerability in jQuery..." }
    // ... 80+ more entries, none of which are PGV-2129406, PGV-2220427, or PGV-22381DM
  ]
}

Both the vulnerabilities array and compliance.detail appear to return the same build-level data on every package. For example, @types/core-js@0.9.46 shows PGV-2129406, PGV-2220427, PGV-22381DM in its compliance.detail, but so does every other package in the build. Neither field reflects per-package vulnerability data.

Every single package in the build has an identical vulnerabilities array with 80+ entries regardless of what actually applies to it.

The UI Vulnerabilities tab shows the correct data — only 3 packages with Remediate issues. So the underlying data is correct, but the API response is not reflecting it accurately.

This worked correctly in 2025.x where the vulnerabilities array contained only per-package vulnerabilities.

Impact: Any script or integration using /api/sca/releases to generate per-package vulnerability reports produces incorrect output.