Import EPSS data from Anchore Grype scans (#12639)

Grype added EPSS metrics in v0.92.0, see:
https://github.com/anchore/grype/releases/tag/v0.92.0

Adds EPSS support with a test based on the same busybox image used
in anchore_grype/no_vuln.json.

Also removes the hardcoded CWE value as Grype does not support CWE
data.

Author: bwt-sloanj

docs/content/en/connecting_your_tools/parsers/file/anchore_grype.md

@@ -5,11 +5,11 @@ toc_hide: true
 ### File Types
 DefectDojo parser accepts a .json file.
 
-Anchore Grype JSON files are created using the Grype CLI, using the '-o json' option.  See: https://github.com/anchore/grype
+Anchore Grype JSON files are created using the Grype CLI, using the '--output=json' option.  See: https://github.com/anchore/grype
 
 **Example:**
 {{< highlight bash >}}
-grype yourApp/example-page -o json > example_vulns.json
+grype yourApp/example-page --output=json=example_vulns.json
 {{< /highlight >}}
 
 ### Acceptable JSON Format

dojo/tools/anchore_grype/parser.py

@@ -22,8 +22,8 @@ def get_label_for_scan_types(self, scan_type):
 
     def get_description_for_scan_types(self, scan_type):
         return (
-            "A vulnerability scanner for container images and filesystems. JSON report generated with '-o json' "
-            "format"
+            "A vulnerability scanner for container images, filesystems, and SBOMs. "
+            "JSON report generated with '--output=json' format."
         )
 
     def get_findings(self, file, test):
@@ -41,11 +41,13 @@ def get_findings(self, file, test):
             if "fix" in vulnerability:
                 vuln_fix_versions = vulnerability["fix"].get("versions")
             vuln_cvss = vulnerability.get("cvss")
+            vuln_epss = vulnerability.get("epss")
 
             rel_datasource = None
             rel_urls = None
             rel_description = None
             rel_cvss = None
+            rel_epss = None
             vulnerability_ids = None
             related_vulnerabilities = item.get("relatedVulnerabilities")
             if related_vulnerabilities:
@@ -54,6 +56,7 @@ def get_findings(self, file, test):
                 rel_urls = related_vulnerability.get("urls")
                 rel_description = related_vulnerability.get("description")
                 rel_cvss = related_vulnerability.get("cvss")
+                rel_epss = related_vulnerability.get("epss")
             vulnerability_ids = self.get_vulnerability_ids(
                 vuln_id, related_vulnerabilities,
             )
@@ -160,6 +163,10 @@ def get_findings(self, file, test):
             if not finding_cvss3 and rel_cvss:
                 finding_cvss3 = self.get_cvss(rel_cvss)
 
+            finding_epss_score, finding_epss_percentile = self.get_epss_values(vuln_id, vuln_epss)
+            if finding_epss_score is None and rel_epss:
+                finding_epss_score, finding_epss_percentile = self.get_epss_values(vuln_id, rel_epss)
+
             dupe_key = finding_title
             if dupe_key in dupes:
                 finding = dupes[dupe_key]
@@ -168,8 +175,9 @@ def get_findings(self, file, test):
                 dupes[dupe_key] = Finding(
                     title=finding_title.replace("\x00", ""),
                     description=finding_description.replace("\x00", ""),
-                    cwe=1352,
                     cvssv3=finding_cvss3,
+                    epss_score=finding_epss_score,
+                    epss_percentile=finding_epss_percentile,
                     severity=vuln_severity,
                     mitigation=finding_mitigation,
                     references=finding_references,
@@ -202,6 +210,20 @@ def get_cvss(self, cvss):
                     return vector
         return None
 
+    def get_epss_values(self, vuln_id, epss_list):
+        if isinstance(epss_list, list):
+            for epss_data in epss_list:
+                if epss_data.get("cve") != vuln_id:
+                    continue
+                try:
+                    epss_score = float(epss_data.get("epss"))
+                    epss_percentile = float(epss_data.get("percentile"))
+                except (TypeError, ValueError):
+                    pass
+                else:
+                    return epss_score, epss_percentile
+        return None, None
+
     def get_vulnerability_ids(self, vuln_id, related_vulnerabilities):
         vulnerability_ids = []
         if vuln_id: