spiffcs
commented
1 month ago 👋 Hey @TimBrown1611 thanks so much for the issue -
Here is a quck summary of what we can currently do: https://anchorecommunity.discourse.group/t/seeking-short-form-video-ideas/22/8 Above is a link to our discourse where we experimented with a few ways of matching the EPSS data to the grype results to get some kind of separate view of the vulnerability results.
Here we took a bucket of SBOM from the top 100 images on docker hub and sliced them against only showing vulnerabilities that were in the 0.995th percentile marker for EPSS data downloaded on 2024-06-03.
We're also looking at views that show trend lines over multiple days of epss data. Look for that in a blog post from Anchore coming soon.
As to WHEN this will be available as data in the published grype-db and not something users need to match AFTER the fact I defer to @wagoodman who is working on the schema v6 for grype currently.
Thanks for the enhancement request!
What would you like to be added: for each CVE provide also the epss score based on this - https://www.first.org/epss/ Why is this needed: calculate better the risk for each CVE Additional context: