Introduce support for EPSS (GSOC 2023)

[anthonyharrison]

POTENTIAL GSOC2023 Idea (#2230)

To compliment the CVSS score, FIRST have released the Exploit Prediction Scoring System (EPSS). There is an API which can be used to download the data in JSON format and also a daily download of the data in CSV format.

Would be useful to add this data and report this as part of the vulnerability information with the CVSS score.

Will need to ensure appropriate attribution is made.

Suggested implementation:

• Update database schema to include EPSS data for each CVE
• Add EPSS as a new data source. Ensure it only downloads no more than once every 24 hours.
• Update database query for each CVE to retrieve EPSS data
• Update output reports to include EPSS data
• Add extra CLI commands to complient CVSS commands to filter on EPSS scores (default is all values)
• Update documentation, tests etc

There is the potential to link this with the exploit data which is currently downloaded (Note - need to add attribution to this - It is called KEV (Known Exploited Vulnerabilities)

[galoget]

Hi @anthonyharrison and @terriko

I am interested in working on this as part of GSOC 2023. 😊

Please, let me know the following steps. Thank You!

[terriko]

@galoget Check out our "GSoC 2023 start here" guide -- the next steps are all in there!

[galoget]

Thanks @terriko. Already checked that. Now I am doing some brainstorming to prepare my project proposal based on ideas described here to add support to EPSS.

[terriko]

Making it clear for others since we've talked about claiming issues a bit lately:

GSoC issues can't be "claimed" the way regular issues can. What happens here is that multiple people can submit applications to work on this idea through google summer of code (the contributor applications aren't open yet, but it'll go through the https://summerofcode.withgoogle.com system). After the system closes, we review the applications in the system and select applicants through there. It's more like a job opening or a contest than our regular issues, so don't be intimidated if someone else comments first or seems to be working on it -- we expect to get multiple applications for each idea, and we'll rank them and choose the top applicants from the pool after the application period closes. I think I currently have more ideas listed than we have mentors for, so it's likely we won't "hire" for every idea this year.

[terriko]

This was completed in summer 2023 and can now be closed.