[Machine] EPSS in SCA advisories and vulnerabilities
Problem to solve
Use EPSS scores and percentiles in SCA advisories and vulnerabilities
Intended users
Skims users
Permissions and Security
Proposal
Improve risk assessment using EPSS score estimating the likelihood of a vulnerability being exploited, assigning it a probability score between 0% and 100%. The higher the score, the more likely the vulnerability will be exploited in the wild within a time period of the next 30 days
Test plan
Steps
-
Look for a source to get EPSS scores like (https://api.first.org/epss/ or https://www.first.org/epss/data_stats.html) -
Add data to the advisories during the sca scheduler -
Use this score in integrates SCA vulnerabilities reported by machine -
Show it in the platform in the AdditionalInfo modal for all reports that have a score higher than zero. -
Show the EPSS score when a user downloads a report (Excel and PDF)
What does success look like, and how can we measure that?
Users now have an additional measure of the risk of the vulnerability. And it allows us to develop further functionality related to risk assessment.
Edited by Fabio Lagos