Skip to content

Import EPSS data from Anchore Grype scans#12639

Merged
valentijnscholten merged 1 commit into
DefectDojo:devfrom
bluwireless:anchore-grype-epss
Jun 25, 2025
Merged

Import EPSS data from Anchore Grype scans#12639
valentijnscholten merged 1 commit into
DefectDojo:devfrom
bluwireless:anchore-grype-epss

Conversation

@bwt-sloanj

@bwt-sloanj bwt-sloanj commented Jun 19, 2025

Copy link
Copy Markdown
Contributor

Description

Grype added EPSS metrics in v0.92.0, see:
https://github.com/anchore/grype/releases/tag/v0.92.0

Adds EPSS support with a test based on the same busybox image used in anchore_grype/no_vuln.json.

Also removes the hardcoded CWE value as Grype does not support CWE data.

Test results

Adds unittests.tools.test_anchore_grype_parser.TestAnchoreGrypeParser.test_grype_epss_values.

Modifies unittests.tools.test_anchore_grype_parser.TestAnchoreGrypeParser.test_check_all_fields to reflect CWE change.

Fixes typo in unittests.tools.test_anchore_grype_parser.TestAnchoreGrypeParser.test_grype_parser_with_one_critical_vuln_has_one_findings.

Documentation

Updates documentation with information on scanning SBOMs and newer style of getting Grype JSON output written to file.

Checklist

This checklist is for your information.

  • Make sure to rebase your PR against the very latest dev.
  • Features/Changes should be submitted against the dev.
  • Bugfixes should be submitted against the bugfix branch.
  • Give a meaningful name to your PR, as it may end up being used in the release notes.
  • Your code is ruff compliant.
  • Your code is python 3.11 compliant.
  • If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
  • Model changes must include the necessary migrations in the dojo/db_migrations folder.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR.

@bwt-sloanj
Import EPSS data from Anchore Grype scans
27779e4 
Grype added EPSS metrics in v0.92.0, see:
https://github.com/anchore/grype/releases/tag/v0.92.0

Adds EPSS support with a test based on the same busybox image used
in anchore_grype/no_vuln.json.

Also removes the hardcoded CWE value as Grype does not support CWE
data.
@dryrunsecurity

dryrunsecurity Bot commented Jun 19, 2025

Copy link
Copy Markdown

DryRun Security

This pull request contains a minor input validation weakness in the get_epss_values method of the Anchore Grype parser, where comprehensive input validation for EPSS scores is not fully implemented, though the current implementation is considered non-blocking and passes the risk threshold.

Input Validation Weakness in dojo/tools/anchore_grype/parser.py
Vulnerability Input Validation Weakness
Description The get_epss_values method lacks comprehensive input validation when parsing EPSS scores from external JSON data. While the method uses a try-except block to handle type conversion, it does not perform explicit validation of the EPSS score and percentile values' format, range, or content. This could potentially allow malformed input to be processed without sufficient checks.

django-DefectDojo/dojo/tools/anchore_grype/parser.py

Lines 210 to 229 in 27779e4

return vector
return None
def get_epss_values(self, vuln_id, epss_list):
if isinstance(epss_list, list):
for epss_data in epss_list:
if epss_data.get("cve") != vuln_id:
continue
try:
epss_score = float(epss_data.get("epss"))
epss_percentile = float(epss_data.get("percentile"))
except (TypeError, ValueError):
pass
else:
return epss_score, epss_percentile
return None, None
def get_vulnerability_ids(self, vuln_id, related_vulnerabilities):
vulnerability_ids = []
if vuln_id:

All finding details can be found in the DryRun Security Dashboard.

Maffooch
Maffooch requested changes Jun 20, 2025
View reviewed changes
Comment thread dojo/tools/anchore_grype/parser.py
@valentijnscholten valentijnscholten added this to the 2.48.0 milestone Jun 20, 2025
@Maffooch Maffooch requested a review from hblankenship June 24, 2025 02:45
mtesauro
mtesauro approved these changes Jun 24, 2025
View reviewed changes

@mtesauro mtesauro left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@valentijnscholten valentijnscholten merged commit 6b5b4d3 into DefectDojo:dev Jun 25, 2025
78 checks passed
@farsheedify farsheedify mentioned this pull request Jul 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

docs parser unittests

Projects

None yet

Milestone

2.48.0

Development

Successfully merging this pull request may close these issues.

5 participants

@bwt-sloanj @mtesauro @valentijnscholten @hblankenship @Maffooch