Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EPSS enricher will only return the first 100 results #101

Open
garethr opened this issue Dec 12, 2022 · 2 comments
Open

EPSS enricher will only return the first 100 results #101

garethr opened this issue Dec 12, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@garethr
Copy link
Contributor

garethr commented Dec 12, 2022

The current enricher makes a single request https://github.com/devops-kung-fu/bomber/blob/main/lib/enrichment/epss.go

For an SBOM with more than 100 vulnerabilities this will hit the detail limits of the API, which is 100 records returned. It does appear that the limit can be increased using ?limit=X but it's possible you'll hit length constrains before then.

This likely needs to parse the returned structure (which contains the limit, offsite and total) and then page through this, taking into account any URL length constrains (at least CVEs are fixed length).

http "https://api.first.org/data/v1/epss?cve=CVE-2022-46161,CVE-2022-46162&limit=1000"
{
    "access": "public",
    "data": [
        {
            "cve": "CVE-2022-46162",
            "date": "2022-12-11",
            "epss": "0.008850000",
            "percentile": "0.271180000"
        },
        {
            "cve": "CVE-2022-46161",
            "date": "2022-12-11",
            "epss": "0.014400000",
            "percentile": "0.729830000"
        }
    ],
    "limit": 1000,
    "offset": 0,
    "status": "OK",
    "status-code": 200,
    "total": 2,
    "version": "1.0"
}
@djschleen
Copy link
Member

Ahhh yes... good catch @garethr. OSS Index has the same limitation with 127 so we iterate and step that in the provider.

@djschleen djschleen added the bug Something isn't working label Dec 14, 2022
@djschleen djschleen added this to the 0.4.1 milestone Dec 14, 2022
@djschleen djschleen changed the title EPSS provider will only return the first 100 results EPSS enricher will only return the first 100 results Dec 16, 2022
@djschleen djschleen removed this from the 0.4.1 milestone Apr 13, 2023
@djschleen
Copy link
Member

Hey @garethr - I think I fixed this in my #183 PR... a bit maybe. I added some batch logic to the epss.go file, but really i need to get all of the vulnerabilities, flatten them (so i don't dupe calls), and then enrich the output. That way I could possibly make one or two calls and get all the scores back.

Not sure if this make sense, but it's a little faster and batched now, but needs more work. I'm still trying to get this worked out, but needs some further refactoring first.

@djschleen djschleen added deferred Gonna get to this when we can and removed deferred Gonna get to this when we can labels Nov 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Development

No branches or pull requests

2 participants