setchy
commented
1 year ago ie: a more natural solution than this current workaround
Open setchy opened 1 year ago
setchy
commented
1 year ago ie: a more natural solution than this current workaround
nscuro
commented
1 year ago Thanks for the suggestion @setchy! I feel this might be a duplicate of https://github.com/DependencyTrack/dependency-track/issues/2267. Would you mind checking if that issue captures what you're asking for?
setchy
commented
1 year ago Thanks @nscuro :)
I was familiar with #2267, and although both relate to CISA KEV, i felt they had these differences
What is your thoughts?
nscuro
commented
1 year ago Makes sense.
Although #2267 also mentions policies:
Once the data is included, I would request a policy to identify vulnerabilities outside of the KEV remediation timeline.
But yeah, overall it seems to me that #2267 is asking for a more "complete" integration with KEV, so perhaps a superset of this issue.
Leaving this enhancement request open then. Thanks again for raising it.
setchy
commented
9 months ago Updated the initial description to generalize the request (CISA or VulnCheck KEV catalogs)
patrickmgarrity
commented
6 months ago Details on how to implement VulnCheck KEV are here: https://docs.vulncheck.com/community/vulncheck-kev/introduction
Let me know if you have any questions or need help in doing so.
Current Behavior
Currently, we use a custom policy rule with a very long list of conditions to check for Vulnerability ID that are listed within a Known Exploited Vulnerabilities catalog (CISA or VulnCheck).
Maintaining this policy is time consuming due to its verbosity.
Proposed Behavior
Enhance the Policy Management feature to allow a simple rule configuration which would effectively check if the Vulnerability ID is found within a KEV catalog (CISA or VulnCheck)
Checklist