Add Exploit Prediction for GitHub Advisories Vulnerabilities

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

https://dependencytrack.org/

Apache License 2.0

2.71k stars 580 forks source link

Add Exploit Prediction for GitHub Advisories Vulnerabilities #4330

Open blackbrownco opened 4 weeks ago

blackbrownco commented 4 weeks ago

Current Behavior

Got vulnerabilities sourced from GitHub Advisories and the severities are listed on "Audit Vulnerabilites" tab

There are no Exploit Predictions for the vulnerabilities listed sourced from GitHub Advisories

Proposed Behavior

EPSS can be shown for vulnerabilities sourced from GitHub Advisories

Checklist

[x] I have read and understand the contributing guidelines
[x] I have checked the existing issues for whether this enhancement was already requested

valentijnscholten commented 4 weeks ago

EPSS data is only available for CVEs. One possible improvement could be to use the EPSS score from the CVE is there is a CVE alias for a GHSA. Not sure if that would make sense as currently they are treated completely separate regarding any data/fields.

blackbrownco commented 4 weeks ago

There is actually an EPSS on Github advisoy database

nscuro commented 4 weeks ago

GitHub will have them if the GHSA in question is linked to a CVE which that has it. We can add support for assigning the EPSS scores from GitHub to GHSA vulns in DT.

I suggest we do this as part of #4291 since we are already going to switch API clients.