Open andresghelarducci opened 1 year ago
CISA is working on a new project to add the fields necessary to implement SSVC to each CVE : current exploitation (~KEV), whether the vulnerability is automatable, and what would be the technical impact (full/partial). See here :
Having this information in dependency-track would be amazing as it would allow a MUCH better priorization than just using the CVSS score (if I remember, 50% of all CVEs are HIGH or Critical ?).
Current Behavior
Currently DependencyTrack provide CVSS and EPSS and an analys window where some information can be inserted to analyze the vulnerability
Proposed Behavior
In order to help vulnerability prioritization can something like SSVC rating (https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) be added to dependencyTrack? In particular it may be useful to have a way to generate the decision tree inside dependencytrack
Checklist