frontend icon indicating copy to clipboard operation
frontend copied to clipboard
verified publisher icon DependencyTrack

Add EPSS Column to Vulnerabilities Screen

Open msymons opened this issue 2 years ago • 0 comments

Current Behavior

Each project in Dependency-Track has an "Exploit Predictions" tab that provides sortable columns for EPSS and EPSS percentile for all CVEs in the project.

This is very useful as an aide for prioritisation when one has many vulnerabilities, but it only applies to the single project... it is not much help to the user who might be managing 50 or so projects.

The vulnerabilities screen lists all vulnerabilities known to DT and has a column for "severity" but no information that can help improve prioritization. ie, no EPSS columns.

To understand why this is a gap, the EPSS website has some useful insights on their website. From the user-guide:

image

First, observe how most vulnerabilities are concentrated near the bottom of the plot, and only a small percent of vulnerabilities have EPSS scores above 50% (0.5). While there is some correlation between EPSS and CVSS scores, overall, this plot provides suggestive evidence that attackers are not only targeting vulnerabilities that produce the greatest impact, or are necessarily easier to exploit (such as for example, an unauthenticated remote code execution).

This is an important finding because it refutes a common assumption that attackers are only looking for — and using — the most severe vulnerabilities. And so, how then can a network defender choose among these vulnerabilities when deciding what to patch first?

CVSS is a useful tool for capturing the fundamental properties of a vulnerability, but it needs to be used in combination with data-driven threat information, like EPSS, in order to better prioritize vulnerability remediation efforts.

Proposed Behavior

  1. Add EPSS columns to /vulnerabilities screen
  2. The columns could be optional.
  3. The columns need to be sortable, otherwise the information is not really usable.

Note that EPSS is only available for CVEs, and CVEs that are in "published" state and have CVSS 3 vectors in the base score. Thus, the vulnerabilities list is likely to have a LOT of entries with no EPSS score... but this should be no problem thanks to sorting.

The above is really an MVP. Ideally, the screen should also offer filtering so that one can choose to display only those vulnerabilities that have affected projects.

Checklist

msymons avatar Jul 11 '23 15:07 msymons