Vulnerability risk assessment data

Use vulnerability risk data to help assess the potential impact to your environment.

Vulnerability risk data includes:

With multiple data points you can better prioritize remediation and mitigation actions. For example, a vulnerability with medium severity and a high EPSS score may require mitigation sooner than a vulnerability with a high severity and a low EPSS score.

EPSS

History
  • Introduced in GitLab 17.4 with flags named epss_querying (in issue 470835) and epss_intgestion (in issue 467672). Disabled by default.
  • Renamed to cve_enrichment_querying and cve_enrichment_ingestion respectively and enabled on GitLab.com in GitLab 17.6.
The availability of this feature is controlled by a feature flag. For more information, see the history.

Exploit Prediction Scoring System (EPSS) provides an estimate of the likelihood a vulnerability (namely CVE) will be exploited in the next 30 days. EPSS gives each CVE a score between 0 to 1 (equivalent to 0% to 100%).

Querying EPSS

You can query the EPSS score of vulnerabilities by using the GraphQL API. Scores are attached to CVEs and are rounded to the second decimal digit.

The cveEnrichment field in the GitLab API model contains the CVE ID and an EPSS score for a given CVE. It is accessible through the Vulnerability type.

For example, the following GraphQL query returns all vulnerabilities in a given project and their EPSS scores. Run the query in the GraphQL explorer or any other GraphQL client. 

{
  project(fullPath: "<full/path/to/project>") {
    vulnerabilities {
      nodes {
        identifiers {
          externalId
          externalType
        }
        cveEnrichment {
          epssScore
          cve
        }
      }
    }
  }
}

Sample output: 

{
  "data": {
    "project": {
      "vulnerabilities": {
        "nodes": [
          {
            "identifiers": [
              {
                "externalId": "CVE-2024-37371",
                "externalType": "cve"
              }
            ],
            "cveEnrichment": {
              "epssScore": 0,
              "cve": "CVE-2024-37371"
            }
          },
          {
            "identifiers": [
              {
                "externalId": "CVE-2024-5171",
                "externalType": "cve"
              }
            ],
            "cveEnrichment": {
              "epssScore": 0.02,
              "cve": "CVE-2024-5171"
            }
          }
        ]
      }
    }
  },
  "correlationId": "..."
}

KEV

CISA Known Exploited Vulnerabilities (KEV) catalog is a catalog of vulnerabilities that are known to have been exploited. It is crucial to remediate these vulnerabilities if you find them in your environment because there are documented cases of attacks using these vulnerabilities and the exploitation method is likely known to attackers.

Support for KEV is proposed in epic 11912.