RE: Automatic Assesment not working?

Hi,
i had already downloaded log4j-core with the "bad" version. I would have expected this to be an immediate action but as you described it is tied to a scheduled job triggered by vulnerability update.

Looking at the feed and packages today shows me that the auto assessment of all the downloaded packages was done overnight.

But does this mean the auto-blocking will never work the first time a package is downloaded? The auto blocking will always only kick in after the next vulnerability update ??

I hope that logic does not apply to the malicious package blocking as well...

We have a Proget Enterprise trial instance and are soon buying a license (ProGet Version 2025.23 (Build 11) (Docker/ Linux))

I wanted to test/evaluate the "Automatic Assessment" functionality
There seems to be a missing link in my setup and the documentation
I have the default assessment types which specifies and automatic assessment rule of setting vulnerabilities with score 9.0 -> 10.0 as Blocked

Now i have setup a maven feed, and downloaded log4j-core 2.14.1 which has a known vulnerability with score 10.0
I would have expected proget to set the assessment automatically to "Blocked" and block the download but it is shown as Unassessed and can be downloaded!

What am I missing ?

Screenshot 2026-04-21 145157.png