Adds a priority score to findings

[cat-passwd]

Description

Adding a priority score for project findings, following the formula: priorityScore = (1 + epss^0.5) * cvss.
CVSSv3 is preferred over CVSSv2 if present.
EPSS defaults to 0 when undefined.
The priority score itself defaults to zero when neither CVSSv3 nor CVSSv2 is available.

Addressed Issue

Implements #5348

Additional Details

View of the prioritization using this score (includes the respective frontend pull request):

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have added corresponding update logic
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[owasp-dt-bot]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

[ptdropper]

I work in the medical device manufacturing space so severity and exploitability are considered carefully. My question is on the source of the formula you propose " priorityScore = (1 + epss^0.5) * cvss. CVSSv3 is preferred over CVSSv2 if present." From the design/develop/manufacture/ship perspective CVSSv2 is more expressive and valuable compared to v3. Can you comment on the formula and comment on the v2 and v3 proposal? From my perspective using multiple data sources as you suggest is excellent. My request would be to have a choice of the priorityScore formula for me the user to select or to implement on my own. The medical device standards groups are and have been struggling with the various ways to assess the scoring with many proposed ways to do so, and all of the formulas have issues so far. This is an on going effort in the standards bodies, where I participate by offering real world experience. Thanks.

[cat-passwd]

Thanks for your questions!

Rationale of the formula

Developed formula for clarity: priorityScore = cvss + epss^0.5 * cvss.

As you mentioned, establishing such a formula to prioritize vulnerability analysis is non-trivial, based on already estimated data and ultimately quite subjective, so I will describe the rationale behind it:

• A vulnerability of high CVSS should be prioritized at a significant degree (here 50% of the priority score) over a vulnerability of lower CVSS: "cvss + ".
• The likelihood of exploitation in the wild expressed by the EPSS should be weighted in relation to the CVSS of the vulnerability, with a heavy emphasis on vulnerability of high CVSS: "epss * cvss^2", which produces the same priority ranking as "epss^0.5 * cvss" but has clearer bounds of [0, 20], or [0, 10] in the absence of EPSS as its weight then represents at maximum 50% of the total priority score.

I also wanted to take KEV and public exploit into account but since this data is not currently available in Dependency Track, I refrained to integrate it into the formula. If this data is available in the future, the formula should be modified to use it. In my experimentations, I found substituting the EPSS by 1 in cases where the vulnerability was actively exploited matched my personal arbitrations.

While this is not perfect, I feel there is a need to have at least something better than only using severity (not CVSS) which is the current behavior, this is the main motivation behind this pull request. This was tested on our projects' vulnerabilities and after arbitration we found the output to be satisfying.

Of course, I'm very interested in any suggestion to better this approach and ultimately have a better formula.

CVSSv3 preferred over CVSSv2

I did not think very long on this matter, which may be an error on my part. I decided on this selection from two main reasons:

• For new vulnerabilities, CVSSv2 tends to be much less often populated than CVSSv3.
• In the vulnerability view of Dependency Track, the CVSSv3 score is already displayed in priority over the CVSSv2 score when both are present. Below, an example of this view with CVE-2019-3466 which has a CVSSv2 of 7.2 and a CVSSv3 of 7.8:

[retanoj]

Combining EPSS and CVSS scores as vulnerability priority is a good idea. At the same time, KEV data should be included (KEV can be simply considered as EPSS = 1.0), and vulnerability priority should be used to calculate metrics instead of CVSS ratings.

Here, I propose using ratings instead of scores, which helps to maintain conceptual consistency with CVSS ratings.

[cat-passwd]

Hi @retanoj !

Thanks for your interest on this matter, I agree with your assessment regarding the importance of using the KEV, emulating an EPSS of 1.0 when a vulnerability is included in it:

If this data is available in the future, the formula should be modified to use it. In my experimentations, I found substituting the EPSS by 1 in cases where the vulnerability was actively exploited matched my personal arbitrations.

However, I don't understand your proposition of using ratings instead of scores. In particular, you mention "CVSS ratings" which surprises me since CVSS stands for "Common Vulnerability Scoring System", clearing meant to output a score and not a rating.

Could you please clarify on this last point?

[retanoj]

Hi @cat-passwd
Thx for your reply.

I know that CVSS is a score system and it maps score ranges to different rating.
I think it would be ideal if EPSS could be mapped to a factor in CVSS, thus influencing the CVSS score. But that's really not feasible.
Alternatively, could we find a formula that incorporates EPSS and CVSS without altering the CVSS rating range, thus enabling the application of the CVSS rating?