Allow Policies to have rules based on EPSS values #3703
Labels
enhancement
New feature or request
good first issue
Good for newcomers
p3
Nice-to-have features
size/S
Small effort
Milestone
Comments
|
We can add an EPSS condition, however the current policy engine does not allow for multiple conditions targeting the exact same vulnerability. Some more details in #2673. v5.x will ship with support for expressions, which will enable the desired behavior. An initial documentation for this can be found here: https://dependencytrack.github.io/hyades/0.4.0/usage/policy-compliance/expressions/ |
nscuro
added
p3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current Behavior
We are using Policies to trigger notifications about Issues that need to be urgently adressed.
A Policy can be defined based on the Severity of a Vulnerability, but not based on its EPSS value.
While this is a good start, a vulnerability with medium severity but a high EPSS value might be more urgent to adress than one with high severity but very low EPSS. If we alert on any medium severity issue, we might run into alert fatigue, rendering our efforts moot.
Proposed Behavior
I would like a new Condition added to Policies that allows operations on the EPSS. For example, you might configure it to only violate the Policy if EPSS greater than 0.5
I could then combine this with a Severity Condition to, for example, alert me if a new Vulnerability is Severity medium and EPSS greater 0.5
This would allow our team to prioritise updates where they are likely to be an issue, while adressing less urgent applications or components later.
Checklist
The text was updated successfully, but these errors were encountered: