Design: Show EPSS, CVSS, KEV for CVEs

We are introducing three metrics that are important to making risk-based prioritization decisions when triaging dependency and container scanning vulnerabilities. These are Exploit Prediction Scoring System (EPSS), Known Exploited Vulnerabilites (KEV) and Common Vulnerability Scoring System (CVSS). These metrics with significantly improve efficiency in triage and prioritization workflows.

Efficiently prioritize risks across your dependency and container image vulnerabilities using EPSS, KEV and CVSS. We are introducing the three metrics of Exploit Prediction Scoring System (EPSS), Known Exploited Vulnerabilites (KEV) and Common Vulnerability Scoring System (CVSS) metrics to the user interface to improve the ability to prioritize and triage CVEs.

Other considerations

PM would also like to get insight into the Vulnerability report filter. Is this something that we can add new parameters to? If so, it would be great to add EPSS.
In the near term we will be adding the following data points that I believe will need to live on the vulnerability report table in some way:
- EPSS (this issue, in progress for MVC to show in API response)
- Static Reachability MVC - this designates if a vulnerability is reachable
- KEV - this is an indicator True/False to denote if a vuln has been exploited
- Dynamic [Runtime] Reachability - this designates if a vulnerability is reachable

Edited Dec 18, 2024 by Sarah Waldner