EPSS Support

[justin-lf]

Display exploitable CVE information EPSS values in Defect Dojo. EPSS in a column so CVEs can be sorted by.

Solutions:
Preferred: Cross reference CVE with EPSS database https://www.first.org/epss/data_stats.html so that any CVE imported gets updated with EPSS.

Minimum: Parse this information from reports ingested for example Dependency Track now provides epss values in the FFE
DependencyTrack/dependency-track#1178

[manuel-sommer]

@quirinziessler is DependencyTrack providing the info to DefectDojo with the current build?

[quirinziessler]

@manuel-sommer yes DependencyTrack exports the EPSS score in the FPF format. I opened a PR with the latest export to the samples repo.
DefectDojo/sample-scan-files#83

I am also supporting this idea. Imo the best way would be to add the EPSS similar to the CWE and CVE to the findings model. In a first step fetched from the scanner output and in the future automatically for all scanner that are providing a CVE upon enabling via settings. Somehow the second part should be also on the roadmap when implementing EPSS because the score is updated daily.

@Maffooch @mtesauro does this also make sense to you? Should we wait with this for the new major release or would you support a PR for this already now?

[manuel-sommer]

I guess you can make a PR @quirinziessler.
Maybe we can make a field which unifies EPSS and exploitability: #8423

[manuel-sommer]

Could we close this issue @mtesauro ?