Add EPSS Scores to Vulnerabilities Pages for CVEs

[msymons]

Current Behavior

The Vulnerability page for a CVE vulnerability lists CVSS scores but does not include any information on EPSS scores.

Proposed Behavior

Add EPSS score and EPSS Percentile score to vulnerability pages for CVE vulnerabilities.

Currently, when viewing such a vulnerability, one has to click on "Affected Projects" and then choose a project and then click on "Exploit Predictions". And remember exactly which CVE you were interested in!

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Great suggestion @msymons!

Do you have any idea of how you'd prefer this information to be presented? Just raw numbers, or some sort of graph or widget?

[msymons]

Well, the raw numbers would be an MVP and would (hopefully) be a prompt for other users to weigh in.
As for graph/widget, I would want such to be considered as part of an overhaul of the whole vulnerability screen... something that could address a lot of niggles:

1. Make it clear whether dislayed CVSS scores are CVSS2 or CVSS3. Or CVSS4.... not yet supported in DT but on the backlog.
2. Link to orginal CVE. A GHSA vulnerability include links to the NVD in the references section, But a CVE vuln has no equivalent link... although I am pretty certain it used to older versions of DT.
3. Weakness (CWE) could have an additional link to (say) "Other vulnerabilities with same CWE".

ie, by considering overall functionality/layout of the screen, it should be easier to design how to fit a graph/widget for EPSS into the whole.

[aravindparappil46]

Hello!
I have raised a PR to address this request: #789
(Just displaying the raw numbers for now)

EDIT: Something happened to the old branch while I was attempting to fix conflicts and the PR got closed 🙈 .
Have opened a new PR #832