Skip to content

Import EPSS data from Anchore Grype scans #12639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Import EPSS data from Anchore Grype scans #12639

wants to merge 1 commit into from
+2,033 −11

Conversation

bwt-sloanj
Copy link

Description

Grype added EPSS metrics in v0.92.0, see:
https://github.com/anchore/grype/releases/tag/v0.92.0

Adds EPSS support with a test based on the same busybox image used in anchore_grype/no_vuln.json.

Also removes the hardcoded CWE value as Grype does not support CWE data.

Test results

Adds unittests.tools.test_anchore_grype_parser.TestAnchoreGrypeParser.test_grype_epss_values.

Modifies unittests.tools.test_anchore_grype_parser.TestAnchoreGrypeParser.test_check_all_fields to reflect CWE change.

Fixes typo in unittests.tools.test_anchore_grype_parser.TestAnchoreGrypeParser.test_grype_parser_with_one_critical_vuln_has_one_findings.

Documentation

Updates documentation with information on scanning SBOMs and newer style of getting Grype JSON output written to file.

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is ruff compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

@bwt-sloanj
Import EPSS data from Anchore Grype scans
27779e4 
Grype added EPSS metrics in v0.92.0, see:
https://github.com/anchore/grype/releases/tag/v0.92.0

Adds EPSS support with a test based on the same busybox image used
in anchore_grype/no_vuln.json.

Also removes the hardcoded CWE value as Grype does not support CWE
data.
@dryrunsecurity DryRunSecurity
Copy link

DryRun Security

This pull request contains a minor input validation weakness in the get_epss_values method of the Anchore Grype parser, where comprehensive input validation for EPSS scores is not fully implemented, though the current implementation is considered non-blocking and passes the risk threshold.

Input Validation Weakness in dojo/tools/anchore_grype/parser.py
Vulnerability Input Validation Weakness
Description The get_epss_values method lacks comprehensive input validation when parsing EPSS scores from external JSON data. While the method uses a try-except block to handle type conversion, it does not perform explicit validation of the EPSS score and percentile values' format, range, or content. This could potentially allow malformed input to be processed without sufficient checks.

django-DefectDojo/dojo/tools/anchore_grype/parser.py

Lines 210 to 229 in 27779e4

return vector
return None
def get_epss_values(self, vuln_id, epss_list):
if isinstance(epss_list, list):
for epss_data in epss_list:
if epss_data.get("cve") != vuln_id:
continue
try:
epss_score = float(epss_data.get("epss"))
epss_percentile = float(epss_data.get("percentile"))
except (TypeError, ValueError):
pass
else:
return epss_score, epss_percentile
return None, None
def get_vulnerability_ids(self, vuln_id, related_vulnerabilities):
vulnerability_ids = []
if vuln_id:

All finding details can be found in the DryRun Security Dashboard.

Maffooch
Maffooch requested changes Jun 20, 2025
View reviewed changes
@valentijnscholten valentijnscholten added this to the 2.48.0 milestone Jun 20, 2025
@Maffooch Maffooch requested a review from hblankenship June 24, 2025 02:45
mtesauro
mtesauro approved these changes Jun 24, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

@hblankenship hblankenship Awaiting requested review from hblankenship

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
docs parser unittests
Projects
None yet
Milestone
2.48.0
Development

Successfully merging this pull request may close these issues.
4 participants
@bwt-sloanj @mtesauro @valentijnscholten @Maffooch