dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

Implement EPSS Scaling (Total Threat for Component or Project or Portfolio)

Open msymons opened this issue 3 years ago • 3 comments

Current Behavior:

Dependency-Track v4.5.0 introduced support for EPSS. This is currently provided via the `"Exploit Predictions" tab in each project.

The scatter graph is definitely useful. It does allow one to follow general EPSS recommendations for prioritization (pay attention to the top right first) However, things can get a bit complicated when the graph is busy. To illustrate..

image

This represents 112 separate predictions. However, in this project just one single component has 12 vulnerabilities (with a total DT risk score of 108).

Proposed Behavior:

What I would like to see is implementation of scaling, the combination of individual EPSS scores to give a measure of the risk from multiple vulnerabilities. The EPSS website explains how this can be done here. Scroll down to the section titled "EPSS Can Scale, to Produce System, Network, and Enterprise-level Exploit Predictions".

This would then allow for:

  • EPSS graph for individual components in a project. ie, showing how the score has changed over time.
  • EPPS visualisation on Dependency Graphs for projects (ie, showing total current EPSS risk for each component). And perhaps the total could increase as one move up the tree? ie inheritence of risk from transitive dependencies.
  • EPSS graph for each project's overview. ie, showing how the score has changed over time.
  • EPSS graph for DT Dashboard. ie, showing how the score has changed over time.
  • Addition of EPSS column to projects page
  • Addition of EPSS column to components page
  • etc? (I am sure that I have missed some things).

In the future, EPSS can then possibly be reported for (say) tags or other "collections" that might be implemented in DT. eg, a score for one's integration environment and a score for own's production environment

I have logged this as a Frontend enhancement, although I am sure it would also require backend changes.

msymons avatar May 27 '22 23:05 msymons

Moving this to Milestone v4.10. The team want to do this properly and that will mean decomposition of the enhancement into a couple of separate issues so that we can deliver an MVP and then additional functionality over time

msymons avatar Jul 05 '23 22:07 msymons

@msymons - Thank you for recommendation to implement EPSS Scaling. This enhancement request looks GREAT. Is this still open or released in v4.11?

spawar-apex avatar May 29 '24 19:05 spawar-apex

Please ignore my comment. I missed to see the milestone part of the ticket. Its planned in v4.13. Thanks!

spawar-apex avatar May 29 '24 19:05 spawar-apex