Associate CVE enrichment data with security findings

Problem

CVE enrichment data is currently only associated with vulnerability findings. This means that in order to access EPSS and KEV values for some vulnerability, a user must have this vulnerability on their main branch. This is limiting for cases where we may want to see these values for other branches through security findings, e.g. in merge requests and policies.

We may create an association between CVE enrichment and security findings (ee/app/models/security/finding.rb) similarly to how it appears in vulnerability findings (ee/app/models/vulnerabilities/finding.rb). This would enable the access to EPSS and KEV data through security findings.

Tasks

Understand how we may access CVE IDs for security findings. These will be used to associate with CVE enrichments
Refine issue based on task above

Relevant requests

Add filter option for KEV in MR approval policies (&16311)

References

EPSS GraphQL Querying (!162435 - merged)
Expose KEV and EPSS score to Vulnerability Enti... (!175792 - merged)

Edited Feb 03, 2025 by Yasha Rise