Allow Policies to have rules based on EPSS values

[wnmzzzz]

Current Behavior

We are using Policies to trigger notifications about Issues that need to be urgently adressed.

A Policy can be defined based on the Severity of a Vulnerability, but not based on its EPSS value.

While this is a good start, a vulnerability with medium severity but a high EPSS value might be more urgent to adress than one with high severity but very low EPSS. If we alert on any medium severity issue, we might run into alert fatigue, rendering our efforts moot.

Proposed Behavior

I would like a new Condition added to Policies that allows operations on the EPSS. For example, you might configure it to only violate the Policy if EPSS greater than 0.5

I could then combine this with a Severity Condition to, for example, alert me if a new Vulnerability is Severity medium and EPSS greater 0.5

This would allow our team to prioritise updates where they are likely to be an issue, while adressing less urgent applications or components later.

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

We can add an EPSS condition, however the current policy engine does not allow for multiple conditions targeting the exact same vulnerability. Some more details in #2673.

v5.x will ship with support for expressions, which will enable the desired behavior. An initial documentation for this can be found here: https://dependencytrack.github.io/hyades/0.4.0/usage/policy-compliance/expressions/

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.