🎉 introducing EPSS score

[quirinziessler]

This PR adds the EPSS score & EPSS percentile to the Django findings model. EPSS score is listed in the findings page as well at the findings detail page.
The EPSS score is part of the export of many scanners. I updated the import for DT for a first step.

related issues: #6878 #8423

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[quirinziessler]

@kiblik do you may know how to fix this error? Column count is same in both thead and thbody. I don't have a clue why this issue comes up.

[dogboat]

Looks good, just a few thoughts and questions!

[kiblik]

@kiblik do you may know how to fix this error? Column count is same in both thead and thbody. I don't have a clue why this issue comes up.

Absolutely no idea

[quirinziessler]

Thanks for your input everyone! I will update the PR with the requested changes in the upcoming days.

[quirinziessler]

@kiblik do you may know how to fix this error? Column count is same in both thead and thbody. I don't have a clue why this issue comes up.

Absolutely no idea

Mmh okay. But anyway thanks!
@mtesauro could you maybe help me here? Did this may already happen in the past?

[quirinziessler]

@dogboat just saw your PR #9520 - does it make sense to continue here?

[mtesauro]

@quirinziessler

@dogboat just saw your PR #9520 - does it make sense to continue here?

You could certainly keep the parser portion of this PR and let dogboat's PR handle getting the models/views updated.

[italvi]

@quirinziessler, @manuel-sommer Is this really the desired use of EPSS? Should not we use the REST-API with a daily cron job to get always the most current scores - the EPSS is getting updated on a daily basis. I already created this for DefectDojo but due to the feature freeze I did not create a PR, as this would add additional fields to the findings model.

[manuel-sommer]

@italvi I like your idea. How about making a PR against this PR to help here directly with improvements or make a followup PR as additional improvements?

[quirinziessler]

@italvi basically I am the same opinion as you and also planned to provide a follow-up PR for this. I also mentioned this in the issue to this PR #6878. If you already prepared something to run the import on a cron-base please open up a PR.

In my eyes the daily update should be optional and not mandatory, managed via settings. Also the initial EPSS should come from the scanner to keep the import process as fast as possible, providing a good UX and not to rely on the FIRST API. Thats why I created this PR and PRs for all scanners that have a epss value in the provided unittest files based on this one.

[quirinziessler]

@Maffooch @grendel513 @devGregA @blakeaowens @cneill @dsever Could you please review this PR and share your opinions? I would be very happy if we could make this part of the next release.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

Contextual Security Analysis

As DryRun Security performs checks, we’ll summarize them here. You can always dive into the detailed results in the section below for checks.

Status	DryRun Security Check
✅	Sensitive Functions Analyzer
❌	Configured Sensitive Files Analyzer
✅	Sensitive Files Analyzer

Chat with your AI-powered Security Buddy by typing @dryrunsecurity followed by your question into a comment.
Example: @dryrunsecurity What are common security issues with web application cookies?

Install and configure more repositories at DryRun Security

[manuel-sommer]

@cneill could you please take a look at this PR and approve + merge it?

[manuel-sommer]

@Maffooch could you take a look at this PR and merge it?

[mtesauro]

@quirinziessler

In my eyes the daily update should be optional and not mandatory, managed via settings. Also the initial EPSS should come from the scanner to keep the import process as fast as possible, providing a good UX and not to rely on the FIRST API. Thats why I created this PR and PRs for all scanners that have a epss value in the provided unittest files based on this one.

About this ^ above, since the frequency that users of DefectDojo want to update EPSS can vary widely, the best method to do this would be to write a job outside of DeefctDojo (cron, scheduled task, CICD run, whatever) that pulls in EPSS scores and updates them using the existing REST APIs.

From talking with other core moderators, this is similar to other efforts in DefectDojo where there's no one "RIGHT" answer and a great of back and forth happens, none of which are technically wrong, they are opinions. Docker compose went round and round until we finally just decided on what we have today.

If DefectDojo can provide a means of people to use it in a way that fit's their needs, I think the job is done. We've worked really hard over the years to make sure DefectDojo didn't force its users to do things the "DefectDojo way" but instead was flexible enough to adapt to their needs.

HTH

[quirinziessler]

@mtesauro Thanks for looking into it and providing feedback about this. It helps me a lot.

I was thinking about this also the last couple of days and how to best handle it. Lastly I got to the same point as you and plan to provide some simple script that can handle this. When the times come I will share it and also provide a short doc for everyone to use it. But first of all it's important to support the basic functionallity in DD, which means this PR.

I also want to take this moment to say thank you to all of you for the effort you are putting into this project. DefectDojo is a very useful tool for me and I love to help you building it even better.