EPSS enricher will only return the first 100 results

[garethr]

The current enricher makes a single request https://github.com/devops-kung-fu/bomber/blob/main/lib/enrichment/epss.go

For an SBOM with more than 100 vulnerabilities this will hit the detail limits of the API, which is 100 records returned. It does appear that the limit can be increased using ?limit=X but it's possible you'll hit length constrains before then.

This likely needs to parse the returned structure (which contains the limit, offsite and total) and then page through this, taking into account any URL length constrains (at least CVEs are fixed length).

http "https://api.first.org/data/v1/epss?cve=CVE-2022-46161,CVE-2022-46162&limit=1000"
{
    "access": "public",
    "data": [
        {
            "cve": "CVE-2022-46162",
            "date": "2022-12-11",
            "epss": "0.008850000",
            "percentile": "0.271180000"
        },
        {
            "cve": "CVE-2022-46161",
            "date": "2022-12-11",
            "epss": "0.014400000",
            "percentile": "0.729830000"
        }
    ],
    "limit": 1000,
    "offset": 0,
    "status": "OK",
    "status-code": 200,
    "total": 2,
    "version": "1.0"
}

[djschleen]

Ahhh yes... good catch @garethr. OSS Index has the same limitation with 127 so we iterate and step that in the provider.

[djschleen]

Hey @garethr - I think I fixed this in my #183 PR... a bit maybe. I added some batch logic to the epss.go file, but really i need to get all of the vulnerabilities, flatten them (so i don't dupe calls), and then enrich the output. That way I could possibly make one or two calls and get all the scores back.

Not sure if this make sense, but it's a little faster and batched now, but needs more work. I'm still trying to get this worked out, but needs some further refactoring first.