Add risk score to results and sort by risk by default #2587
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4e46de3 to
f95ffd7
Compare
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
4659913 to
b478866
Compare
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
b478866 to
aa0caa7
Compare
spiffcs
approved these changes
May 1, 2025
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds a new
riskmetric to the grype results, allowing us to show prioritized vulnerability mathces in a way that helps users remediate the most "important" vulnerabilities first.The new
riskmetric is defined asrisk ~= threat * severity, where:threatis the EPSS score for the CVE matched with (between 0-1), or if present on the KEV list, then boosted by 5% (10% if the vulnerability is being used in ransomeware)severityis the average CVSS base score + string severity on the vulnerability record (scaled to between 0-1)Grype results, regardless of the format, will be sorted by highest-risk-first by default. Also the raw risk value will be added to the table and json output formats.
A new
--sort-by <value>flag is being added with the following available options:severity: sort by severityepss: sort by EPSS percentile (aka, "threat")risk: sort by risk score (default)kev: just like risk, except that KEV entries are always above non-KEV entriespackage: sort by package name, version, typevulnerability: sort by vulnerability IDFurther adjustments have been made to the table output to help users with remediation:
add a new EPSS percentile column: teams typically need to balance risk tolerance and budget when choosing how many vulnerabilities to remediate from the full set of results. The EPSS documentation illustrates that selecting EPSS percentile cutoff could be a good way to maximize coverage and minimize effort relative to your teams needs. Exposing this raw metric makes following this advise much easier.
add KEV "pill" annotations next to table rows: though presence on the KEV list typically means that the vulnerability has a high risk score (thus will float to the top of the results) it does not guarantee that a) there are non-KEV entries above it, or b) it is within your teams remediation cutoff (however you choose this). From this perspective it makes sense to make this "exploited in the wild" dimension more visible and not depend on purely sorting methods. If you want a high coupling of KEV evidence and the sort method, I'd recommend using
--sort-by kev.emphasize the minimum version upgrade path: this is really de-emphasizing other upgrade paths and truncating the
fixescolumn in the table output when there are several updates (the JSON output will show all values). This better focuses users toward useful information by removing flashier formatting.Fixes #1511
Fixes #1973