Vulnerability risk assessment data

Use vulnerability risk data to help assess the potential impact to your environment.

Use this data to help prioritize remediation and mitigation actions. For example, a vulnerability with medium severity and a high EPSS score may require mitigation sooner than a vulnerability with a high severity and a low EPSS score.

EPSS

History
  • Introduced in GitLab 17.4 with flags named epss_querying (in issue 470835) and epss_intgestion (in issue 467672). Disabled by default.
  • Renamed to cve_enrichment_querying and cve_enrichment_ingestion respectively and enabled on GitLab.com in GitLab 17.6.
The availability of this feature is controlled by a feature flag. For more information, see the history.

The EPSS score provides an estimate of the likelihood a vulnerability in the CVE catalog will be exploited in the next 30 days. EPSS assigns each CVE a score between 0 to 1 (equivalent to 0% to 100%).

KEV

History

The KEV catalog lists vulnerabilities that are known to have been exploited. You should prioritize the remediation of vulnerabilities in the KEV catalog above other vulnerabilities. Attacks using these vulnerabilities have occurred and the exploitation method is likely known to attackers.

Query risk assessment data

Use the GraphQL API to query the severity, EPSS, and KEV values of vulnerabilities in a project.

The Vulnerability type in the GraphQL API has a cveEnrichment field, which is populated when the identifiers field contains a CVE identifier. The cveEnrichment field contains the CVE ID, EPSS score, and KEV status for the vulnerability. EPSS scores are rounded to the second decimal digit.

For example, the following GraphQL API query returns all vulnerabilities in a given project and their CVE ID, EPSS score, and KEV status (isKnownExploit). Run the query in the GraphQL explorer or any other GraphQL client.

{
  project(fullPath: "<full/path/to/project>") {
    vulnerabilities {
      nodes {
        severity
        identifiers {
          externalId
          externalType
        }
        cveEnrichment {
          epssScore
          isKnownExploit
          cve
        }
      }
    }
  }
}

Example output:

{
  "data": {
    "project": {
      "vulnerabilities": {
        "nodes": [
          {
            "severity": "CRITICAL",
            "identifiers": [
              {
                "externalId": "CVE-2019-3859",
                "externalType": "cve"
              }
            ],
            "cveEnrichment": {
              "epssScore": 0.2,
              "isKnownExploit": false,
              "cve": "CVE-2019-3859"
            }
          },
          {
            "severity": "CRITICAL",
            "identifiers": [
              {
                "externalId": "CVE-2016-8735",
                "externalType": "cve"
              }
            ],
            "cveEnrichment": {
              "epssScore": 0.94,
              "isKnownExploit": true,
              "cve": "CVE-2016-8735"
            }
          },
        ]
      }
    }
  },
  "correlationId": "..."
}

Vulnerability Prioritizer

Status: Experiment

Use the Vulnerability Prioritizer CI/CD component to help prioritize a project’s vulnerabilities (namely CVEs). The component outputs a prioritization report in the vulnerability-prioritizer job’s output.

Vulnerabilities are listed in the following order:

  1. Vulnerabilities with known exploitation (KEV) are top priority.
  2. Higher EPSS scores (closer to 1) are prioritized.
  3. Severities are ordered from Critical to Low.

Only vulnerabilities detected by dependency scanning and container scanning are included because the Vulnerability Prioritizer CI/CD component requires data only available in Common Vulnerabilities and Exposures (CVE) records. Moreover, only detected (Needs triage) and confirmed vulnerabilities are shown.

To add the Vulnerability Prioritizer CI/CD component to your project’s CI/CD pipeline, see the Vulnerability Prioritizer documentation.