Add EPSS model

Add EPSS UI
Add EPSS to api
Fix api test

Signed-off-by: ziadhany <[email protected]>

Author: ziadhany

vulnerabilities/api.py

@@ -24,6 +24,7 @@
 from rest_framework.throttling import AnonRateThrottle
 from rest_framework.throttling import UserRateThrottle
 
+from vulnerabilities.models import EPSS
 from vulnerabilities.models import Alias
 from vulnerabilities.models import Package
 from vulnerabilities.models import Vulnerability
@@ -167,6 +168,12 @@ def to_representation(self, instance):
         return representation
 
 
+class EPSSSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = EPSS
+        fields = ["score", "percentile", "created_at", "updated_at"]
+
+
 class VulnerabilitySerializer(BaseResourceSerializer):
     fixed_packages = MinimalPackageSerializer(
         many=True, source="filtered_fixed_packages", read_only=True
@@ -175,6 +182,7 @@ class VulnerabilitySerializer(BaseResourceSerializer):
 
     references = VulnerabilityReferenceSerializer(many=True, source="vulnerabilityreference_set")
     aliases = AliasSerializer(many=True, source="alias")
+    epss = EPSSSerializer(read_only=True)
     weaknesses = WeaknessSerializer(many=True)
 
     def to_representation(self, instance):
@@ -183,6 +191,10 @@ def to_representation(self, instance):
         weaknesses = data.get("weaknesses", [])
         data["weaknesses"] = [weakness for weakness in weaknesses if weakness is not None]
 
+        epss = data.get("epss", None)
+        if not epss:
+            data.pop("epss")
+
         return data
 
     class Meta:
@@ -196,6 +208,7 @@ class Meta:
             "affected_packages",
             "references",
             "weaknesses",
+            "epss",
         ]
 
 

vulnerabilities/improvers/__init__.py

@@ -8,6 +8,7 @@
 #
 
 from vulnerabilities.improvers import valid_versions
+from vulnerabilities.improvers import vulnerability_epss
 from vulnerabilities.improvers import vulnerability_status
 
 IMPROVERS_REGISTRY = [
@@ -26,6 +27,7 @@
     valid_versions.OSSFuzzImprover,
     valid_versions.RubyImprover,
     valid_versions.GithubOSVImprover,
+    vulnerability_epss.EPSSImprover,
     vulnerability_status.VulnerabilityStatusImprover,
 ]
 

vulnerabilities/improvers/vulnerability_epss.py

@@ -0,0 +1,67 @@
+#
+# Copyright (c) nexB Inc. and others. All rights reserved.
+# VulnerableCode is a trademark of nexB Inc.
+# SPDX-License-Identifier: Apache-2.0
+# See http://www.apache.org/licenses/LICENSE-2.0 for the license text.
+# See https://github.com/nexB/vulnerablecode for support or download.
+# See https://aboutcode.org for more information about nexB OSS projects.
+#
+import csv
+import gzip
+import logging
+import urllib.request
+from datetime import datetime
+from typing import Iterable
+
+from django.db.models.query import QuerySet
+
+from vulnerabilities.importer import AdvisoryData
+from vulnerabilities.improver import Improver
+from vulnerabilities.improver import Inference
+from vulnerabilities.models import EPSS
+from vulnerabilities.models import Advisory
+from vulnerabilities.models import Alias
+
+logger = logging.getLogger(__name__)
+
+
+class EPSSImprover(Improver):
+    """Exploit Prediction Scoring System (EPSS) Improver"""
+
+    @property
+    def interesting_advisories(self) -> QuerySet:
+        return [Advisory.objects.all()[0]]
+
+    def get_inferences(self, advisory_data: AdvisoryData) -> Iterable[Inference]:
+        """Fetch the csv epss file and update or create the EPSS Model"""
+
+        epss_url = "https://epss.cyentia.com/epss_scores-current.csv.gz"
+        response = urllib.request.urlopen(epss_url)
+
+        with gzip.open(response, "rb") as f:
+            lines = [l.decode("utf-8") for l in f.readlines()]
+
+        epss_reader = csv.reader(lines)
+        next(epss_reader)  # skip the header row
+
+        for epss_data in epss_reader:
+            cve, score, percentile = epss_data
+            alias = Alias.objects.get_or_none(alias=cve)
+            if not alias:
+                logger.error(f"Could not find alias for CVE: {cve}")
+                continue
+
+            if not alias.vulnerability:
+                logger.error(f"Could not find vulnerability with this CVE {cve}")
+                continue
+
+            EPSS.objects.update_or_create(
+                vulnerability=alias.vulnerability,
+                defaults={
+                    "score": score,
+                    "percentile": percentile,
+                    "updated_at": datetime.now(),
+                },
+            )
+
+        return []

vulnerabilities/migrations/0057_epss.py

@@ -0,0 +1,57 @@
+# Generated by Django 4.1.13 on 2024-05-19 21:37
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("vulnerabilities", "0056_alter_packagechangelog_software_version_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="EPSS",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True, primary_key=True, serialize=False, verbose_name="ID"
+                    ),
+                ),
+                (
+                    "score",
+                    models.FloatField(
+                        help_text="the EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days"
+                    ),
+                ),
+                (
+                    "percentile",
+                    models.FloatField(
+                        verbose_name="the percentile of the current score,the proportion of all scored vulnerabilities with the same or a lower EPSS score"
+                    ),
+                ),
+                (
+                    "created_at",
+                    models.DateTimeField(
+                        auto_now_add=True, help_text="When was the first time we fetched epss"
+                    ),
+                ),
+                (
+                    "updated_at",
+                    models.DateTimeField(
+                        auto_now=True, help_text="When was the last time we fetched epss"
+                    ),
+                ),
+                (
+                    "vulnerability",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="epss",
+                        to="vulnerabilities.vulnerability",
+                    ),
+                ),
+            ],
+        ),
+    ]

vulnerabilities/models.py

@@ -1121,7 +1121,6 @@ class Meta:
 
 
 class ChangeLog(models.Model):
-
     action_time = models.DateTimeField(
         # check if dates are actually UTC
         default=timezone.now,
@@ -1261,7 +1260,6 @@ def log_action(self, package, action_type, actor_name, source_url, related_vulne
 
 
 class PackageChangeLog(ChangeLog):
-
     AFFECTED_BY = 1
     FIXING = 2
 
@@ -1309,3 +1307,30 @@ def log_fixing(cls, package, importer, source_url, related_vulnerability):
             source_url=source_url,
             related_vulnerability=related_vulnerability,
         )
+
+
+class EPSS(models.Model):
+    """
+    EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
+    """
+
+    vulnerability = models.OneToOneField(
+        Vulnerability, on_delete=models.CASCADE, related_name="epss"
+    )
+
+    score = models.FloatField(
+        help_text="the EPSS score representing the probability "
+        "[0-1] of exploitation in the wild in the next 30 days"
+    )
+
+    percentile = models.FloatField(
+        "the percentile of the current score,"
+        "the proportion of all scored vulnerabilities with the same or a lower EPSS score"
+    )
+
+    created_at = models.DateTimeField(
+        auto_now_add=True, help_text="When was the first time we fetched epss"
+    )
+    updated_at = models.DateTimeField(
+        auto_now=True, help_text="When was the last time we fetched epss"
+    )

vulnerabilities/templates/vulnerability_details.html

@@ -60,6 +60,15 @@
                             </span>
                         </a>
                     </li>
+                {% if vulnerability.epss %}
+                    <li data-tab="epss">
+                        <a>
+                            <span>
+                                EPSS
+                            </span>
+                        </a>
+                    </li>
+                {% endif %}
                 <li data-tab="history">
                     <a>
                         <span>
@@ -374,6 +383,59 @@
                             </tr>
                         {% endfor %}
                 </div>
+        
+            {% if vulnerability.epss %}
+                <div class="tab-div content" data-content="epss">
+                    <div class="has-text-weight-bold tab-nested-div ml-1 mb-1 mt-1">
+                        Exploit Prediction Scoring System
+                    </div>
+                    <table class="table vcio-table width-100-pct mt-2">
+                            <tbody>
+                                <tr>
+                                    <td class="two-col-left">
+                                        <span class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
+                                                data-tooltip="the percentile of the current score, the proportion of all scored vulnerabilities with the same or a lower EPSS score">
+                                                Percentile:
+                                        </span>
+                                    </td>
+                                    <td class="two-col-right">{{ vulnerability.epss.percentile }}</td>
+                                </tr>
+  
+                                <tr>
+                                    <td class="two-col-left">
+                                        <span class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
+                                                data-tooltip="the EPSS score representing the probability [0-1] of exploitation in the wild in the next 30 days (following score publication)">
+                                                EPSS score:
+                                        </span>
+                                    </td>
+                                    <td class="two-col-right">{{ vulnerability.epss.score }}</td>
+                                </tr>
+                                
+                                <tr>
+                                    <td class="two-col-left">
+                                        <span
+                                        class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
+                                        data-tooltip="When was the first time we fetched epss">
+                                        Created at:
+                                        </span>
+                                    </td>
+                                    <td class="two-col-right">{{ vulnerability.epss.created_at }}</td>
+                                </tr>
+
+                                <tr>
+                                    <td class="two-col-left">
+                                        <span class="has-tooltip-multiline has-tooltip-black has-tooltip-arrow has-tooltip-text-left"
+                                            data-tooltip="When was the last time we fetched epss">
+                                            Updated at:
+                                        </span>
+                                    </td>
+                                    <td class="two-col-right">{{ vulnerability.epss.updated_at }}</td>
+                                </tr>
+                            </tbody>
+                    </table>
+                </div>
+            {% endif %}
+            
             <div class="tab-div content" data-content="history">
                 <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
                     <thead>