Open msymons opened 2 years ago
msymons
commented
1 year ago Moving this to Milestone v4.10. The team want to do this properly and that will mean decomposition of the enhancement into a couple of separate issues so that we can deliver an MVP and then additional functionality over time
spawar-apex
commented
3 months ago @msymons - Thank you for recommendation to implement EPSS Scaling. This enhancement request looks GREAT. Is this still open or released in v4.11?
spawar-apex
commented
3 months ago Please ignore my comment. I missed to see the milestone part of the ticket. Its planned in v4.13. Thanks!
Current Behavior:
Dependency-Track v4.5.0 introduced support for EPSS. This is currently provided via the `"Exploit Predictions" tab in each project.
The scatter graph is definitely useful. It does allow one to follow general EPSS recommendations for prioritization (pay attention to the top right first) However, things can get a bit complicated when the graph is busy. To illustrate..
This represents 112 separate predictions. However, in this project just one single component has 12 vulnerabilities (with a total DT risk score of 108).
Proposed Behavior:
What I would like to see is implementation of scaling, the combination of individual EPSS scores to give a measure of the risk from multiple vulnerabilities. The EPSS website explains how this can be done here. Scroll down to the section titled "EPSS Can Scale, to Produce System, Network, and Enterprise-level Exploit Predictions".
This would then allow for:
In the future, EPSS can then possibly be reported for (say) tags or other "collections" that might be implemented in DT. eg, a score for one's integration environment and a score for own's production environment
I have logged this as a Frontend enhancement, although I am sure it would also require backend changes.