Fix EPSS tab to show latest score by published date

Author: abhey8

vulnerabilities/tests/test_view.py

@@ -9,6 +9,8 @@
 
 import os
 import time
+from datetime import datetime
+from datetime import timezone as dt_timezone
 
 import pytest
 from django.test import Client
@@ -182,6 +184,33 @@ def test_vulnerabilties_search_view_can_find_alias(self):
         response = self.client.get(f"/vulnerabilities/search/?search=TEST-2022")
         self.assertEqual(response.status_code, 200)
 
+    def test_vulnerability_details_epss_uses_latest_published_score(self):
+        older_epss = VulnerabilitySeverity.objects.create(
+            url="https://api.first.org/data/v1/epss?cve=CVE-2024-39689",
+            scoring_system="epss",
+            value="0.00045",
+            scoring_elements="0.16709",
+            published_at=datetime(2024, 11, 1, tzinfo=dt_timezone.utc),
+        )
+        latest_epss = VulnerabilitySeverity.objects.create(
+            url="https://api.first.org/data/v1/epss?cve=CVE-2024-39689",
+            scoring_system="epss",
+            value="0.21233",
+            scoring_elements="0.95432",
+            published_at=datetime(2025, 8, 14, tzinfo=dt_timezone.utc),
+        )
+
+        self.vulnerability.severities.add(older_epss)
+        self.vulnerability.severities.add(latest_epss)
+
+        response = self.client.get(f"/vulnerabilities/{self.vulnerability.vulnerability_id}")
+        self.assertEqual(response.status_code, 200)
+
+        epss_data = response.context["epss_data"]
+        self.assertEqual(epss_data["score"], "0.21233")
+        self.assertEqual(epss_data["percentile"], "0.95432")
+        self.assertEqual(epss_data["published_at"], datetime(2025, 8, 14, tzinfo=dt_timezone.utc))
+
 
 class CheckRobotsTxtTestCase(TestCase):
     def test_robots_txt(self):

vulnerabilities/views.py

@@ -49,6 +49,20 @@
 PAGE_SIZE = 20
 
 
+def get_latest_epss_severity(severities):
+    """
+    Return the latest EPSS severity by publication date.
+    """
+    return (
+        severities.filter(scoring_system=EPSS.identifier)
+        .order_by(
+            F("published_at").desc(nulls_last=True),
+            F("id").desc(),
+        )
+        .first()
+    )
+
+
 class PackageSearch(ListView):
     model = models.Package
     template_name = "packages.html"
@@ -386,7 +400,7 @@ def get_context_data(self, **kwargs):
             ):
                 logging.error(f"CVSSMalformedError for {severity.scoring_elements}")
 
-        epss_severity = vulnerability.severities.filter(scoring_system="epss").first()
+        epss_severity = get_latest_epss_severity(vulnerability.severities)
         epss_data = None
         if epss_severity:
             epss_data = {
@@ -502,7 +516,7 @@ def get_context_data(self, **kwargs):
             .exclude(scoring_elements="")
         )
 
-        epss_severity = advisory.severities.filter(scoring_system="epss").first()
+        epss_severity = get_latest_epss_severity(advisory.severities)
         epss_data = None
         epss_advisory = None
         if not epss_severity:
@@ -514,7 +528,7 @@ def get_context_data(self, **kwargs):
                 .first()
             )
             if epss_advisory:
-                epss_severity = epss_advisory.severities.filter(scoring_system="epss").first()
+                epss_severity = get_latest_epss_severity(epss_advisory.severities)
         if epss_severity:
             # If the advisory itself does not have EPSS severity, but has a related advisory with EPSS severity, we use the related advisory's EPSS severity and URL as the source of EPSS data.
             epss_data = {