Skip to content

Import EPSS data from Anchore Grype scans #12639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
valentijnscholten merged 1 commit into from
Jun 25, 2025

Import EPSS data from Anchore Grype scans

27779e4
Select commit
Loading
Failed to load commit list.
Merged

Import EPSS data from Anchore Grype scans #12639

Import EPSS data from Anchore Grype scans
27779e4
Select commit
Loading
Failed to load commit list.
DryRunSecurity / General Security Analyzer succeeded Jun 19, 2025 in 53s

DryRun Security

Details

General Security Analyzer Findings: 1 detected

⚠️ Input Validation Weakness dojo/tools/anchore_grype/parser.py (click for details)
Type Input Validation Weakness
Description The get_epss_values method lacks comprehensive input validation when parsing EPSS scores from external JSON data. While the method uses a try-except block to handle type conversion, it does not perform explicit validation of the EPSS score and percentile values' format, range, or content. This could potentially allow malformed input to be processed without sufficient checks.
Filename dojo/tools/anchore_grype/parser.py
CodeLink

django-DefectDojo/dojo/tools/anchore_grype/parser.py

Lines 210 to 229 in 27779e4

return vector
return None
def get_epss_values(self, vuln_id, epss_list):
if isinstance(epss_list, list):
for epss_data in epss_list:
if epss_data.get("cve") != vuln_id:
continue
try:
epss_score = float(epss_data.get("epss"))
epss_percentile = float(epss_data.get("percentile"))
except (TypeError, ValueError):
pass
else:
return epss_score, epss_percentile
return None, None
def get_vulnerability_ids(self, vuln_id, related_vulnerabilities):
vulnerability_ids = []
if vuln_id:
View more details on DryRunSecurity