[[_TOC_]] ### Release Notes Efficiently prioritize risk across your dependency and container image vulnerabilities using [The Known Exploitable Vulnerabilities Catalogue](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). ### Problem to solve Half of organizations remediate less than 16% of their known vulnerabilities on a monthly basis. Moreover, users generally target `Critical` or `High` Severity vulnerabilities for remediation. In 2022 nearly 60% of disclosed CVEs fall into these severity categories. This is a growing problem, during the 5 year period from 2019-2023, the number of CVEs disclosed has increased by 21%. As an Engineer, I want to be able to understand the likelihood that vulnerabilities in my organization's code could be exploited, so that I can more easily prioritize remediating the riskiest vulnerabilities. CVSS Score is translated into a [Severitiy](https://docs.gitlab.com/ee/user/application_security/vulnerabilities/severities.html), which does aide users in prioritizing remediation decisions, but this is inadequate and often leads to increased noise for AppSec and Engineering teams. Additional context is required to more efficiently prioritize which vulnerabilities need to be remediated. Additionally, all federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed time frames under Binding Operational Directive (BOD) 22-01. State, local, tribal, and territorial governments and private industry are not bound by BOD 22-01, but often times these entities follow Federal guidance on Cybersecurity so this could become important for a wider group of users. ### What is KEV? KEV is [The Known Exploitable Vulnerabilities Catalogue](https://www.cisa.gov/known-exploited-vulnerabilities-catalog). It is maintained by CISA and provides insight on vulnerabilities that have been exploited in the wild. KEV data should be a key driver in how organizations prioritize their remediation work for vulnerabilities. The KEV Catalogue only includes exploited vulnerabilities that have been assigned a CVE. ### Proposal Incorporate [KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) data for all dependency scanning and container scanning findings. ### Scope Integrate Rezillion's support for KEV into the ~"group::composition analysis" product. #### MVC Users can call the GraphQL API and view a KEV indicator in the response payload. #### General Availability - Customers can view an indicator that there is a known exploit for every dependency scanning result on the specific vulnerability page - Customers can view an indicator that there is a known exploit for every container scanning result on the specific vulnerability page #### Work extending outside of Composition Analysis team - Customers can filter the Vulnerability Report by vulnerabilities that have a known exploit - Customers can create security policies based on vulnerabilities that have a known exploit ### Intended Users - [Delaney (Development Team Lead)](https://about.gitlab.com/handbook/product/personas/#delaney-development-team-lead) - [Amy (Application Security Engineer)](https://about.gitlab.com/handbook/product/personas/#amy-application-security-engineer) - [Alex (Security Operations Engineer)](https://about.gitlab.com/handbook/product/personas/#alex-security-operations-engineer) More information on Personas can be found [here](https://about.gitlab.com/handbook/product/personas/) _This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc._