Add Support to EPSS

[ziadhany]

issue #850 #1474

[DennisClark]

@ziadhany Perhaps you could add this link
https://www.first.org/epss/
to help people understand who the "Exploit Prediction Scoring System" is,
and then it should be good to go.

[ziadhany]

@pombredanne @DennisClark @keshav-space @johnmhoran @Hritik14
I added the EPSS to the scoring system the API looks good
but there is a problem with the UI :
1- Severity score range ( Should we ignore the EPSS ? ) I think yes
2- where should we add the published_at and percentile? ( Severities vectors, ... ? )

{
    "url": "http://127.0.0.1:8001/api/vulnerabilities/132176",
    "vulnerability_id": "VCID-1116-rhyx-aaab",
    "summary": "",
    "aliases": [
        {
            "alias": "CVE-2019-14599"
        }
    ],
    "fixed_packages": [],
    "affected_packages": [],
    "references": [
        {
            "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14599",
            "reference_id": "",
            "scores": [
                {
                    "value": "0.00044",
                    "scoring_system": "epss",
                    "scoring_elements": "0.12215",
                    "published_at": "2024-05-22T00:00:00Z"
                }
            ],
            "url": "https://api.first.org/data/v1/epss?cve=CVE-2019-14599"
        }
    ],
    "weaknesses": [],
    "resource_url": "http://127.0.0.1:8001/vulnerabilities/VCID-1116-rhyx-aaab"
}

[DennisClark]

@ziadhany as discussed in our meeting, please do not include the EPSS score (0 to 1) in the Severity Score Range (0-10) since they don't really make sense together.

[Hritik14]

EPSS scores are probabilities and could be represented in the 1-100 range by multiplying by 100.

[ziadhany]

EPSS scores are probabilities and could be represented in the 1-100 range by multiplying by 100.

@Hritik14
we have three options
1- multiple EPSS score by (10, 100, ...): This approach has limitations and may not be effective for all EPSS scores
CVE-1999-0005: epss score: 0.91963 -> (9.1963, 91.963, ...)
CVE-2023-5868: epss score: 0.0018 -> (0.018, 0.18 , ...)
CVE-2023-4806: epss score: 0.00097 -> (0.0097, 0.097, ...)

2- normalize the whole score range to [0,1] ( CVSS values ): This approach could be useful, however, most people are more concerned with the vulnerability's CVSS rating [ 0: 10 ]

3- Keep the EPSS score separate from the severity score range

[TG1999]

Please add screenshots in UI for both cases when we have and when we do not have "published_at"

[ziadhany]

@TG1999 Here are all the screenshots for the EPSS UI.

[TG1999]

@ziadhany please do same for API. Thanks and merge this

[TG1999]

LGTM!

[TG1999]

@ziadhany tests are failing, please look!

[ziadhany]

@ziadhany tests are failing, please look!

@TG1999 I resolved the test issues. One was due to migration conflicts, and the other was related to the cargo ref type. I'm unsure why the cargo ref type issue didn't appear in the ref type pull request.

[TG1999]

#1502 is reverted, @ziadhany please also fix the tests there and get it merged

[TG1999]

@ziadhany error persists, CI is still failing

[ziadhany]

@ziadhany error persists, CI is still failing

@TG1999 Please merge the ref type pull request before this one and rerun the CI.

[TG1999]

@ziadhany please see #1518, please do the required/needed changes to get CI passing there

[TG1999]

@ziadhany please see this PR, tests are failing

[ziadhany]

@ziadhany please see this PR, tests are failing

@TG1999 Done