npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

npm-epss-audit

v0.0.13

Published

Use EPSS scores to prioritize NPM Audit findings

Downloads

11

Readme

NPM EPSS Audit

Currently NPM Audit reports severity of vulnerabilities based on the CVSS score. Also the response received from NPM bulk audit used within npm audit do not include CVEs in the report as of May 2023. This interim tool uses the NPM Quick Audit end point to retrieve associated CVEs and reports corresponding EPSS scores to help prioritize vulnerabilities.

Note Version 0.0.12+ includes support to check if a CVE is included in the CISA Known Exploited Vulnerability (KEV) catalog.

About EPSS

EPSS stands for Exploit Prediction Scoring System. It is a machine learning-based model that predicts the likelihood of a software vulnerability being exploited in the wild. The EPSS score is a number between 0 and 1, with a higher score indicating a higher likelihood of exploitation. The EPSS score is calculated using a variety of factors, including the severity of the vulnerability, the availability of exploit code, and the number of known attacks.

See EPSS at https://www.first.org/epss.

About CISA Known Exploited Vulnerability (KEV) catalog

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes.

See CISA KEV Catalog at https://www.cisa.gov/known-exploited-vulnerabilities.

Warning The CISA KEV catalog is very limited when it comes to individual NPM packages. This is included to support future use cases of the tool.

Usage

NPM Audit requires that all project dependencies are already installed and package-lock.json file exists. Make sure to install dependencies in the project before running the tool.

Usage via npx

## Run the tool in the project directory
npx npm-epss-audit@latest

Usage via global install option

## Install the tool globally
npm install -g npm-epss-audit@latest

## Run the tool in the project directory
npm-epss-audit

Options

Usage: npm-epss-audit [-v|--verbose] [-r|--refresh] [-f|--fail-on-past-duedate] [-t|--threshold]

Options:
      --version               Show version number                      [boolean]
  -v, --verbose               Verbose output
  -r, --refresh               Refresh EPSS scores
  -f, --fail-on-past-duedate  Fail on past CISA KVE due date
  -t, --threshold             EPSS score threshold to fail the audit
                                                           [number] [default: 0]
      --help                  Show help                                [boolean]

Exit Codes

For use in CI pipelines and automation tools, the tool will exit with the following exit codes:

  • 0: Ran successfully and no vulnerabilities found
  • 1: Failed to run due to errors or other configuration issues
  • 2: Ran successfully and vulnerabilities found that exceeded the EPSS Score threshold (default: 0.0, means all vulnerabilities are reported)

You may also use the --fail-on-past-duedate option to fail the audit if any of the vulnerabilities are past the CISA KEV due date or set the --threshold option to a value of your choice greater than 0.0 to fail the audit if any of the vulnerabilities exceed the EPSS Score threshold.

Example output

# Run with default options
npm-epss-audit

Auditing <project> v0.1.0

┌─────────┬────────────────────────┬────────────┬──────────────────┬──────┬────────────────┬───────────┬──────────┐
│ (index) │         Module         │  Severity  │      CVE ID      │ CVSS │ EPSS Score (%) │ CISA KEV? │ Due Date │
├─────────┼────────────────────────┼────────────┼──────────────────┼──────┼────────────────┼───────────┼──────────┤
│    0    │        'json5'         │   'high'   │ 'CVE-2022-46175' │ 7.1  │     0.225      │   'No'    │    ''    │
│    1    │     'loader-utils'     │ 'critical' │ 'CVE-2022-37601' │ 9.8  │     0.163      │   'No'    │    ''    │
└─────────┴────────────────────────┴────────────┴──────────────────┴──────┴────────────────┴───────────┴──────────┘

# Fail audit only for vulnerabilities with EPSS score greater than 0.0015 (0.15%)
npm-epss-audit --threshold 0.0015

Auditing <project> v0.1.0

┌─────────┬────────────────────────┬────────────┬──────────────────┬──────┬────────────────┬───────────┬──────────┐
│ (index) │         Module         │  Severity  │      CVE ID      │ CVSS │ EPSS Score (%) │ CISA KEV? │ Due Date │
├─────────┼────────────────────────┼────────────┼──────────────────┼──────┼────────────────┼───────────┼──────────┤
│    0    │        'json5'         │   'high'   │ 'CVE-2022-46175' │ 7.1  │     0.225      │   'No'    │    ''    │
│    1    │     'loader-utils'     │ 'critical' │ 'CVE-2022-37601' │ 9.8  │     0.163      │   'No'    │    ''    │
└─────────┴────────────────────────┴────────────┴──────────────────┴──────┴────────────────┴───────────┴──────────┘


At least one CVE with EPSS Score threshold 0.0015 exceeded.

Configuration Options

On first run, the tool will create a folder named .epss in the ${HOME} or "/tmp" folder. This folder will contain the raw EPSS Data file and uncompressed CSV file. If you would like to choose a different folder, you may set the EPSS_DATA_FOLDER environment variable to the desired folder.

How to contribute

This tool addresses a gap to take advantage of EPSS Scores for NPM packages, as a starting point to prioritize vulnerabilities. This is probably just be an interim tool until NPM Audit includes CVEs and EPSS scores in the bulk audit response and audit report and streamline this process for developers.

If you would like to contribute to this project, feel free to fork and create PR if you can. Otherwise, create an issue with your thoughts and ideas.

References