We tested the download of a "flagged" or at least "not approved" package from Chocolatey, but proget does not flag it as vulnerable and it is not clearly visible, that there are issues related to this package:
choco install crystalreports2008runtime
Chocolatey Report:
Some Checks Have Failed or Are Not Yet Complete
Not All Tests Have Passed
• Validation Testing Unknown
• Verification Testing Failed
• Details
Scan Testing Resulted in Flagged:
This package was submitted (and approved) prior to automated virus scanning integration into the package moderation processs.
We recommend clicking the "Details" link to make your own decision on installing this package.
The Chocolatey API returns the following information:
<d:IsApproved m:type="Edm.Boolean">false</d:IsApproved>
<d:PackageValidationResultStatus>Unknown</d:PackageValidationResultStatus>
<d:PackageScanStatus>Flagged</d:PackageScanStatus>
<d:PackageScanFlagResult>Unknown</d:PackageScanFlagResult>
In such cases, we would expect a vulnerability alert in Proget and a blocked download. Instead, Proget downloads this package and doesn't flag it at all.
We kindly ask Inedo for confirmation on whether this behavior is a bug or a known limitation in the current version and if it will be addressed.