- Name: Sukhveer Singh (@Rexbeast2)
- Organization: Python Software Foundation
- Sub-organization: CVE Binary Tool
- Project: Introduce support for EPSS
- Proposal: View/Download
CVE Bin Tool
has played a vital role in identifying and assessing vulnerabilities through the Common Vulnerability Scoring System (CVSS), it has become evident that a more comprehensive and nuanced approach is needed to address the dynamic nature of cyber threats. The limitations of relying solely on Common Vulnerability Scoring System(CVSS) scores have become apparent, as they fail to capture the intricate interplay between vulnerability severity and the likelihood of exploitation. This discrepancy has led to challenges in prioritizing remediation efforts, allocating resources effectively, and staying ahead of rapidly evolving threat vectors.
The integration of the Exploit Probability Scoring System(EPSS) addresses this gap by introducing a probabilistic element that quantifies the likelihood of exploitation, providing a more accurate representation of vulnerability risk.
EPSS addresses the limitations of CVSS by introducing a probabilistic approach to vulnerability assessment. This system evaluates the likelihood of a vulnerability being exploited, considering factors like historical attack patterns, attacker motivation, and system context. EPSS provides a more holistic view of risk by quantifying the probability of exploitation, which can significantly enhance the accuracy of vulnerability prioritization and resource allocation. The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. For more information here
Previously, the database schema for CVE-Bin-Tool
consisted of a mere three-table structure. One of these tables held information about CVE severity, another stored its details, and the final one contained CVE exploits. However, this structure proves to be lacking in expandability. As a result, a transition was made to a new, more comprehensive five-table schema. This enhancement introduced two additional tables: metric
and cve-metric
. The metric table is designed to accommodate the various types of metrics offered by CVE-Bin-Tool
, while the CVE-metric
table establishes the relationships between each CVE and its corresponding metrics. This updated structure now ensures future-proof flexibility, allowing not only for EPSS metrics but also for the incorporation of various other metrics down the line.
The integration of EPSS metrics into CVE-Bin-Tool
involved four primary phases:
This phase encompassed the downloading and storage of EPSS data within CVE-Bin-Tool
.
Queries were modified to retrieve results incorporating EPSS metrics.
The existing output formats of CVE-Bin-Tool
, including console, PDF, HTML, JSON, and CSV, were enhanced to include EPSS metrics.
Two distinct filters were introduced to CVE-Bin-Tool
. The first is the EPSS Probability Filter, which exclusively displays results meeting a specified minimum probability threshold. The second is the EPSS Percentile Filter, revealing outcomes surpassing a designated percentile threshold.
PRs:
- intel/cve-bin-tool#3106
- intel/cve-bin-tool#3145
- intel/cve-bin-tool#3102
- intel/cve-bin-tool#3097
- intel/cve-bin-tool#3240
PRs:
- intel/cve-bin-tool#3104
- intel/cve-bin-tool#3130
- intel/cve-bin-tool#3147
- intel/cve-bin-tool#3172
- intel/cve-bin-tool#3211
- intel/cve-bin-tool#3213
- intel/cve-bin-tool#3215
- intel/cve-bin-tool#3224
- intel/cve-bin-tool#3233
- intel/cve-bin-tool#3234
- intel/cve-bin-tool#3244
- intel/cve-bin-tool#3273
I plan on contributing significantly to the project after the GSoC period. Things I plan to do:
- Improving the test cases for EPSS filters.
- Change the output of
cve-bin-tool
for better reporting.
I am thankful to Google, Python Software Foundation, and Intel for providing me with this excellent opportunity and the mentors, Terri Oda, Anthony Harrison, Anant and Rhythm who guided me throughout the program.
I would also like to thank my fellow GSoC contributor Pramurta and the cve-bin-tool community for helping me during the program.