Add Exploit Prediction Scoring System (EPSS) scores

[pombredanne]

See https://www.first.org/epss/ ... this is an interesting CVSS alternative scoring system. For data, The fisrt link https://www.first.org/epss/data_stats links to https://epss.cyentia.com/ and https://epss.cyentia.com/epss_scores-current.csv.gz

Data license is per https://www.first.org/epss/#Usage-Agreement

Usage Agreement

EPSS is an emerging standard developed by a volunteer group of researchers, practitioners, academics and government personnel. We grant the use of EPSS scores freely to the public, subject to the conditions below. We reserve the right to update the model and these webpages periodically, as necessary, though we will make every attempt to provide sufficient notice to users in the event of material changes. While membership in the EPSS SIG is not required to use or implement EPSS, however, we ask that if you are using EPSS, that you provide appropriate attribution where possible. EPSS can be cited either from this website (e.g. "See EPSS at https://www.first.org/epss), or as: Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, Idris Adjerid, (2021), Exploit Prediction Scoring System, Digital Threats Research and Practice, 2(3)

[pombredanne]

There is an API now at https://www.first.org/epss/api keyed by CVE

[DennisClark]

See this page for additional info: https://www.first.org/epss/api

[pombredanne]

Based on the initial review of https://github.com/nexB/vulnerablecode/pull/1481 we should refactor this to be a severity scoring instead:

• Need to add published_at date to the Vulnerability score model. See https://github.com/nexB/vulnerablecode/blob/9c12d56cc6b726eae35dd5c1bc5f2a6d6955707a/vulnerabilities/models.py#L899 It will be updated with the EPSS score publication date and other scores too.
• Create a new SCORING_SYSTEM for EPSS
• store the percentile in the scoring_elements field
• store the score in the value field