Skip to content

Adds a priority score to findings #5349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cat-passwd wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Adds a priority score to findings #5349

cat-passwd wants to merge 1 commit into from

Conversation

@cat-passwd
Copy link

@cat-passwd cat-passwd commented Sep 29, 2025

Description

Adding a priority score for project findings, following the formula: priorityScore = (1 + epss^0.5) * cvss.
CVSSv3 is preferred over CVSSv2 if present.
EPSS defaults to 0 when undefined.
The priority score itself defaults to zero when neither CVSSv3 nor CVSSv2 is available.

Addressed Issue

Implements #5348

Additional Details

View of the prioritization using this score (includes the respective frontend pull request):
dependency-track-more-vulnerabilty-properties-prioritization

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@owasp-dt-bot
Copy link

owasp-dt-bot commented Sep 29, 2025
edited
Loading

🎉 Snyk checks have passed. No issues have been found so far.

security/snyk check is complete. No issues have been found. (View Details)

@cat-passwd
Adds a priority score to findings
de78e6d 
Implements DependencyTrack#5348

Signed-off-by: Antoine FELIX <pro@antoine-felix.fr>
@ptdropper
Copy link

ptdropper commented Sep 30, 2025

I work in the medical device manufacturing space so severity and exploitability are considered carefully. My question is on the source of the formula you propose " priorityScore = (1 + epss^0.5) * cvss. CVSSv3 is preferred over CVSSv2 if present." From the design/develop/manufacture/ship perspective CVSSv2 is more expressive and valuable compared to v3. Can you comment on the formula and comment on the v2 and v3 proposal? From my perspective using multiple data sources as you suggest is excellent. My request would be to have a choice of the priorityScore formula for me the user to select or to implement on my own. The medical device standards groups are and have been struggling with the various ways to assess the scoring with many proposed ways to do so, and all of the formulas have issues so far. This is an on going effort in the standards bodies, where I participate by offering real world experience. Thanks.

@cat-passwd
Copy link
Author

cat-passwd commented Sep 30, 2025

Thanks for your questions!

Rationale of the formula

Developed formula for clarity: priorityScore = cvss + epss^0.5 * cvss.

As you mentioned, establishing such a formula to prioritize vulnerability analysis is non-trivial, based on already estimated data and ultimately quite subjective, so I will describe the rationale behind it:

  • A vulnerability of high CVSS should be prioritized at a significant degree (here 50% of the priority score) over a vulnerability of lower CVSS: "cvss + ".
  • The likelihood of exploitation in the wild expressed by the EPSS should be weighted in relation to the CVSS of the vulnerability, with a heavy emphasis on vulnerability of high CVSS: "epss * cvss^2", which produces the same priority ranking as "epss^0.5 * cvss" but has clearer bounds of [0, 20], or [0, 10] in the absence of EPSS as its weight then represents at maximum 50% of the total priority score.

I also wanted to take KEV and public exploit into account but since this data is not currently available in Dependency Track, I refrained to integrate it into the formula. If this data is available in the future, the formula should be modified to use it. In my experimentations, I found substituting the EPSS by 1 in cases where the vulnerability was actively exploited matched my personal arbitrations.

While this is not perfect, I feel there is a need to have at least something better than only using severity (not CVSS) which is the current behavior, this is the main motivation behind this pull request. This was tested on our projects' vulnerabilities and after arbitration we found the output to be satisfying.

Of course, I'm very interested in any suggestion to better this approach and ultimately have a better formula.

CVSSv3 preferred over CVSSv2

I did not think very long on this matter, which may be an error on my part. I decided on this selection from two main reasons:

  • For new vulnerabilities, CVSSv2 tends to be much less often populated than CVSSv3.
  • In the vulnerability view of Dependency Track, the CVSSv3 score is already displayed in priority over the CVSSv2 score when both are present. Below, an example of this view with CVE-2019-3466 which has a CVSSv2 of 7.2 and a CVSSv3 of 7.8:
cvssv3-over-cvssv2-vuln-view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cat-passwd @owasp-dt-bot @ptdropper