Extended policy options to use EPSS+CISA KEV #3421
thomasw-AT
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In version 4.10.1 it is not possible to create policy rules that would consider the EPSS scores or percentiles. Therefore it would be nice to have filter options for this.
In addition it would be nice if the CISA-KEV information which will be supported starting with 4.11 could be used for policy rules as well in the future.
Background:
Currently I'm using the logic from CVE_Prioritizer to achieve a better prioritization for vulnerabilities than just relying on the CVSS rating. With the mentioned additional filters, it would be possible to rebuild the same prioritization logic within DependencyTrack. Alternatively integration of the whole analysis logic would be very nice to directly calculate the prioritization within DependencyTrack. With CVSS, EPSS and CISA-KEV all relevant information would be there anyway already after 4.11 will be released.
Beta Was this translation helpful? Give feedback.
All reactions