OSV Vulnerability Alerts: Enhance to include Known Exploted Vulnerability (KEV) indication

[setchy]

Tell us more.

We currently make heavy use of the osvVulnerabilityAlerts feature - it's great!

A nice enhancement to this would be enhancing the OSV information with whether the Vulnerability is part of a Known Exploited Vulnerability (KEV) catalog (sources could be CISA KEV or VulnCheck KEV)

[setchy]

@Churro @rarkins - curious on your initial thoughts re this idea

[Churro]

I find the information in CISA KEV a very valuable source for vulnerability prioritization. At this point, I'm not convinced that an integration with renovate would bring notable benefits:

• OSS makes up only ~3-5% of all entries in KEV. This is less related to the fact that vulns in those deps are barely exploited but the overall idea of KEV (gov agencies urge known vendors for updates -> lower remediation timeframe if vuln is actively exploited).
• Since OSV crawls vulnerabilities from different sources, not all of them have a CVE id, which is a prerequisite for being listed in KEV.
• Advisories in OSV reference 1:n vulnerable PURLs or GIT repos. Assuming a CVE alias exists and shows up in KEV, it isn't possible to backtrack if an exploit specifically relates to the dependency renovate has extracted.
• By default, renovate distinguishes security fix PRs from others with a [security] prefix. As this makes them stand out already, I'm not sure if additional emphasis is really necessary.

[setchy]

Appreciate the thorough response @Churro. spot on.

We were thinking of complimenting our current [security-{{severity}}] PR prefix/suffix with a label indicating whether it's exploitable or not. ie: [security-high] vs [security-high-kev]

[setchy]

We also recently switched our datasource from CISA KEV to VulnCheck KEV and it had a positive impact on reporting KEVs