Vulnerability prioritization

[andresghelarducci]

Current Behavior

Currently DependencyTrack provide CVSS and EPSS and an analys window where some information can be inserted to analyze the vulnerability

Proposed Behavior

In order to help vulnerability prioritization can something like SSVC rating (https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc) be added to dependencyTrack? In particular it may be useful to have a way to generate the decision tree inside dependencytrack

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[AppSecAmael]

CISA is working on a new project to add the fields necessary to implement SSVC to each CVE : current exploitation (~KEV), whether the vulnerability is automatable, and what would be the technical impact (full/partial). See here :

• https://www.linkedin.com/posts/cisagov_we-understand-that-timely-and-accurate-information-activity-7193995615737901056-8PNq/
• https://github.com/cisagov/vulnrichment

Having this information in dependency-track would be amazing as it would allow a MUCH better priorization than just using the CVSS score (if I remember, 50% of all CVEs are HIGH or Critical ?).