vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Consider prioritization using CVE_Prioritizer

Open pombredanne opened this issue 1 year ago • 1 comments

See @TURROKS https://github.com/TURROKS/CVE_Prioritizer It combines CVSS, EPSS and KEV. Nice Something to consider for CRAVEX! FYI: @DennisClark @TG1999 @tdruez

pombredanne avatar Jul 17 '24 17:07 pombredanne

The project at https://github.com/TURROKS/CVE_Prioritizer?tab=readme-ov-file#cve-prioritizer is indeed a very interesting example of a solution to prioritization; however, the dependence on CVE identification and corresponding data is a limitation and it does not seem to make use of other vulnerability reporting sources (as far as I can tell).

DennisClark avatar Aug 09 '24 16:08 DennisClark

I don't think we are going to do this one. Our current implementation of Weighted Severity, Exploitability and Risk in VulnerableCode plus the Exposure Factor in DejaCode handles vulnerability prioritization scoring. There could, of course, be areas where we can improve the visibility of the scoring to the user, as well as more focused workflows, but the actual computation and setting of priority is pretty solid. Closing this one.

DennisClark avatar Dec 30 '24 23:12 DennisClark