vulnerablecode Add Support to EPSS

issue #850 #1474

Screenshot from 2024-06-01 02-59-57

Screenshot from 2024-06-01 03-00-46

May 19 '24 22:05 ziadhany

@ziadhany Perhaps you could add this link https://www.first.org/epss/ to help people understand who the "Exploit Prediction Scoring System" is, and then it should be good to go.

May 21 '24 16:05 DennisClark

@pombredanne @DennisClark @keshav-space @johnmhoran @Hritik14 I added the EPSS to the scoring system the API looks good but there is a problem with the UI : 1- Severity score range ( Should we ignore the EPSS ? ) I think yes 2- where should we add the published_at and percentile? ( Severities vectors, ... ? )

{
    "url": "http://127.0.0.1:8001/api/vulnerabilities/132176",
    "vulnerability_id": "VCID-1116-rhyx-aaab",
    "summary": "",
    "aliases": [
        {
            "alias": "CVE-2019-14599"
        }
    ],
    "fixed_packages": [],
    "affected_packages": [],
    "references": [
        {
            "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14599",
            "reference_id": "",
            "scores": [
                {
                    "value": "0.00044",
                    "scoring_system": "epss",
                    "scoring_elements": "0.12215",
                    "published_at": "2024-05-22T00:00:00Z"
                }
            ],
            "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14599"
        }
    ],
    "weaknesses": [],
    "resource_url": "http://127.0.0.1:8001/vulnerabilities/VCID-1116-rhyx-aaab"
}

May 24 '24 15:05 ziadhany

@ziadhany as discussed in our meeting, please do not include the EPSS score (0 to 1) in the Severity Score Range (0-10) since they don't really make sense together.

May 28 '24 16:05 DennisClark

EPSS scores are probabilities and could be represented in the 1-100 range by multiplying by 100.

May 29 '24 04:05 Hritik14

EPSS scores are probabilities and could be represented in the 1-100 range by multiplying by 100.

@Hritik14 we have three options 1- multiple EPSS score by (10, 100, ...): This approach has limitations and may not be effective for all EPSS scores CVE-1999-0005: epss score: 0.91963 -> (9.1963, 91.963, ...) CVE-2023-5868: epss score: 0.0018 -> (0.018, 0.18 , ...) CVE-2023-4806: epss score: 0.00097 -> (0.0097, 0.097, ...)

2- normalize the whole score range to [0,1] ( CVSS values ): This approach could be useful, however, most people are more concerned with the vulnerability's CVSS rating [ 0: 10 ]

3- Keep the EPSS score separate from the severity score range

May 29 '24 17:05 ziadhany

Please add screenshots in UI for both cases when we have and when we do not have "published_at"

Jul 16 '24 08:07 TG1999

@TG1999 Here are all the screenshots for the EPSS UI. Screenshot from 2024-07-17 21-07-01

Screenshot from 2024-07-17 22-21-02

Screenshot from 2024-07-17 22-43-39

Screenshot from 2024-07-17 22-40-13

Jul 17 '24 19:07 ziadhany

@ziadhany please do same for API. Thanks and merge this

Jul 22 '24 15:07 TG1999

@ziadhany tests are failing, please look!

Jul 22 '24 15:07 TG1999

@ziadhany tests are failing, please look!

@TG1999 I resolved the test issues. One was due to migration conflicts, and the other was related to the cargo ref type. I'm unsure why the cargo ref type issue didn't appear in the ref type pull request.

Jul 22 '24 16:07 ziadhany

#1502 is reverted, @ziadhany please also fix the tests there and get it merged

Jul 22 '24 16:07 TG1999

@ziadhany error persists, CI is still failing

Jul 22 '24 16:07 TG1999

@ziadhany error persists, CI is still failing

@TG1999 Please merge the ref type pull request before this one and rerun the CI.

Jul 22 '24 16:07 ziadhany

@ziadhany please see #1518, please do the required/needed changes to get CI passing there

Jul 22 '24 16:07 TG1999

@ziadhany please see this PR, tests are failing

Aug 06 '24 08:08 TG1999

@ziadhany please see this PR, tests are failing

@TG1999 Done

Aug 06 '24 10:08 ziadhany