From fa38edfa2ef0cca022571659e6093b7ce5ce422b Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 16:47:01 -0500 Subject: [PATCH 01/12] CISA KEV Support --- README.md | 37 +++++++++++++------- bin/index.js | 98 +++++++++++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 118 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index 07ba394..3013e2c 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,24 @@ Currently NPM Audit reports severity of vulnerabilities based on the CVSS score. NPM bulk audit response do not include CVEs in the report as of May 2023. This interim tool uses the NPM Quick Audit end point to retrieve associated CVEs and reports corresponding EPSS scores to help prioritize vulnerabilities. +> **Note** +> Now includes support to check if a CVE is included in the CISA Known Exploited Vulnerability (KEV) catalog. + ## About EPSS EPSS stands for Exploit Prediction Scoring System. It is a machine learning-based model that predicts the likelihood of a software vulnerability being exploited in the wild. The EPSS score is a number between 0 and 1, with a higher score indicating a higher likelihood of exploitation. The EPSS score is calculated using a variety of factors, including the severity of the vulnerability, the availability of exploit code, and the number of known attacks. See EPSS at [https://www.first.org/epss](https://www.first.org/epss). +## About CISA Known Exploited Vulnerability (KEV) catalog + +> For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. + +See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities). + +> **Note** +> The CISA KEV catalog is very limited when it comes to individual NPM packages. This is included for future updates to the tool. + ## Usage ### Usage via global install option @@ -58,24 +70,24 @@ npm-epss-audit Auditing v0.1.0 -┌─────────┬────────────────────────┬────────────┬──────────────────┬──────┬────────────────┐ -│ (index) │ Module │ Severity │ CVE ID │ CVSS │ EPSS Score (%) │ -├─────────┼────────────────────────┼────────────┼──────────────────┼──────┼────────────────┤ -│ 0 │ 'json5' │ 'high' │ 'CVE-2022-46175' │ 7.1 │ 0.225 │ -│ 1 │ 'loader-utils' │ 'critical' │ 'CVE-2022-37601' │ 9.8 │ 0.163 │ -└─────────┴────────────────────────┴────────────┴──────────────────┴──────┴────────────────┘ +┌─────────┬────────────────────────┬────────────┬──────────────────┬──────┬────────────────┬───────────┬──────────┐ +│ (index) │ Module │ Severity │ CVE ID │ CVSS │ EPSS Score (%) │ CISA KEV? │ Due Date │ +├─────────┼────────────────────────┼────────────┼──────────────────┼──────┼────────────────┼───────────┼──────────┤ +│ 0 │ 'json5' │ 'high' │ 'CVE-2022-46175' │ 7.1 │ 0.225 │ 'No' │ '' │ +│ 1 │ 'loader-utils' │ 'critical' │ 'CVE-2022-37601' │ 9.8 │ 0.163 │ 'No' │ '' │ +└─────────┴────────────────────────┴────────────┴──────────────────┴──────┴────────────────┴───────────┴──────────┘ # Fail audit only for vulnerabilities with EPSS score greater than 0.0015 (0.15%) npm-epss-audit --threshold 0.0015 Auditing v0.1.0 -┌─────────┬────────────────────────┬────────────┬──────────────────┬──────┬────────────────┐ -│ (index) │ Module │ Severity │ CVE ID │ CVSS │ EPSS Score (%) │ -├─────────┼────────────────────────┼────────────┼──────────────────┼──────┼────────────────┤ -│ 0 │ 'json5' │ 'high' │ 'CVE-2022-46175' │ 7.1 │ 0.225 │ -│ 1 │ 'loader-utils' │ 'critical' │ 'CVE-2022-37601' │ 9.8 │ 0.163 │ -└─────────┴────────────────────────┴────────────┴──────────────────┴──────┴────────────────┘ +┌─────────┬────────────────────────┬────────────┬──────────────────┬──────┬────────────────┬───────────┬──────────┐ +│ (index) │ Module │ Severity │ CVE ID │ CVSS │ EPSS Score (%) │ CISA KEV? │ Due Date │ +├─────────┼────────────────────────┼────────────┼──────────────────┼──────┼────────────────┼───────────┼──────────┤ +│ 0 │ 'json5' │ 'high' │ 'CVE-2022-46175' │ 7.1 │ 0.225 │ 'No' │ '' │ +│ 1 │ 'loader-utils' │ 'critical' │ 'CVE-2022-37601' │ 9.8 │ 0.163 │ 'No' │ '' │ +└─────────┴────────────────────────┴────────────┴──────────────────┴──────┴────────────────┴───────────┴──────────┘ At least one CVE with EPSS Score threshold 0.0015 exceeded. @@ -101,3 +113,4 @@ Otherwise, create an issue with your thoughts and ideas. - [EPSS](https://www.first.org/epss/data_stats) - [NPM Audit](https://docs.npmjs.com/cli/v9/commands/npm-audit) - [NPM Quick Audit](https://docs.npmjs.com/cli/v9/commands/npm-audit#quick-audit-endpoint) +- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities) diff --git a/bin/index.js b/bin/index.js index d820187..cc67cad 100644 --- a/bin/index.js +++ b/bin/index.js @@ -11,6 +11,7 @@ const EPSS_DATA_FOLDER = process.env.EPSS_DATA_FOLDER || process.env.HOME || "/tmp"; const epssScores = {}; +const kevData = {}; async function downloadFile(url, path) { const outfile = fs.createWriteStream(path); @@ -18,6 +19,21 @@ async function downloadFile(url, path) { await finished(Readable.fromWeb(response.body).pipe(outfile)); } +async function syncKEV(refresh = false) { + if (!fs.existsSync(`${EPSS_DATA_FOLDER}/.epss`)) { + console.log(`\nCreating ${EPSS_DATA_FOLDER}/.epss folder`); + fs.mkdirSync(`${EPSS_DATA_FOLDER}/.epss`); + } + + if (!fs.existsSync(`${EPSS_DATA_FOLDER}/.epss/kev.json`) || refresh) { + console.log(`\nDownloading CISA Known Exploited Vulnerabilities catalog`); + await downloadFile( + "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json", + `${EPSS_DATA_FOLDER}/.epss/kev.json` + ); + } +} + async function syncEpss(refresh = false) { if (!fs.existsSync(`${EPSS_DATA_FOLDER}/.epss`)) { console.log(`\nCreating ${EPSS_DATA_FOLDER}/.epss folder`); @@ -42,6 +58,19 @@ async function syncEpss(refresh = false) { } } +async function loadKEVCatalog(refresh = false) { + const kevContents = fs.readFileSync( + `${EPSS_DATA_FOLDER}/.epss/kev.json`, + "utf8" + ); + const kev = JSON.parse(kevContents); + for (const item of kev.vulnerabilities) { + kevData[item.cveID] = { + ...item, + }; + } +} + async function loadScores(refresh = false) { const csv = fs.readFileSync(`${EPSS_DATA_FOLDER}/.epss/epss.csv`, "utf8"); const lines = csv.split("\n"); @@ -65,7 +94,7 @@ async function loadScores(refresh = false) { // console.log(`Loaded ${idx} EPSS scores`); } -async function audit(verbose = false, threshold = 0.0) { +async function audit(verbose = false, threshold = 0.0, failOnPastDue = false) { if (!fs.existsSync(process.cwd() + "/package.json")) { console.log( `\nError: package.json not found in ${process.cwd()}. Run 'npm-epss-audit' in the project root directory where package.json is located.` @@ -131,6 +160,9 @@ async function audit(verbose = false, threshold = 0.0) { } let aboveThreshold = false; + let pastDueDate = false; + + const today = new Date(); // Print results // Metadata -> Vulnerabilities @@ -166,6 +198,7 @@ async function audit(verbose = false, threshold = 0.0) { ); console.log(`More info: ${value.url}`); console.log(`\n`); + if (value.cves && value.cves.length > 0) { console.log(`CVSS Score: ${value.cvss.score}`); console.log(`CVE: ${value.cves[0]}`); @@ -175,6 +208,23 @@ async function audit(verbose = false, threshold = 0.0) { ).toFixed(3)}%` ); + // Check if CVW is in Known Exploratory Vulnerabilities + const kve = kevData[value.cves[0]]; + if (kve) { + console.log(`CISA Known Exploited Vulnerability: Yes`); + console.log(` Date Added: ${kve.dateAdded}`); + console.log(` Due Date: ${kve.dueDate}`); + + // Check if due date is in the past + const dueDate = new Date(kve.dueDate); + if (today > dueDate) { + pastDueDate = true; + } + } else { + console.log(`CISA Known Exploited Vulnerability: No`); + } + + // Check if EPSS score is above threshold if ( +Number(epssScores[value.cves[0]].epss).toFixed(5) > +Number(threshold).toFixed(5) @@ -182,9 +232,12 @@ async function audit(verbose = false, threshold = 0.0) { aboveThreshold = true; } } + console.log(`\n`); } else { if (value.cves && value.cves.length > 0) { + const kve = kevData[value.cves[0]]; + tabularData.push({ Module: value.module_name, Severity: value.severity, @@ -193,14 +246,25 @@ async function audit(verbose = false, threshold = 0.0) { "EPSS Score (%)": +Number( epssScores[value.cves[0]].epss * 100.0 ).toFixed(3), + "CISA KEV?": kve ? "Yes" : "No", + "Due Date": kve ? kve.dueDate : "", }); + // Check if EPSS score is above threshold if ( +Number(epssScores[value.cves[0]].epss).toFixed(5) > +Number(threshold).toFixed(5) ) { aboveThreshold = true; } + + // Check if due date is in the past + if (kve) { + const dueDate = new Date(kve.dueDate); + if (today > dueDate) { + pastDueDate = true; + } + } } } count++; @@ -222,6 +286,16 @@ async function audit(verbose = false, threshold = 0.0) { console.log(`\n`); + if (pastDueDate) { + console.log( + `At least one CVE is past its due date as per CISA Known Exploited Vulnerabilities Catalog.\n` + ); + + if (failOnPastDue) { + process.exit(2); + } + } + if (aboveThreshold) { if (Number(threshold) > 0.0) { console.log( @@ -231,9 +305,9 @@ async function audit(verbose = false, threshold = 0.0) { ); } process.exit(2); - } else { - process.exit(0); } + + process.exit(0); } else { console.log(`No vulnerabilities found`); process.exit(0); @@ -244,7 +318,9 @@ async function audit(verbose = false, threshold = 0.0) { try { const options = yargs .scriptName("npm-epss-audit") - .usage("Usage: $0 [-v|--verbose] [-r|--refresh] [-t|--threshold]]") + .usage( + "Usage: $0 [-v|--verbose] [-r|--refresh] [-t|--threshold]] [-f|--fail-on-past-duedate]" + ) .option("v", { alias: "verbose", describe: "Verbose output", @@ -256,11 +332,23 @@ async function audit(verbose = false, threshold = 0.0) { type: "number", default: 0.0, }) + .option("f", { + alias: "fail-on-past-duedate", + describe: "Fail on past due date", + }) .help(true).argv; await syncEpss(options.refresh); + await syncKEV(options.refresh); + await loadScores(options.refresh); - await audit(options.verbose, options.threshold); + await loadKEVCatalog(options.refresh); + + await audit( + options.verbose, + options.threshold, + options["fail-on-past-duedate"] + ); } catch (err) { console.error(err); process.exit(1); From dcfb4b0f8dc9fd63ee2d75a2f0c77bd54dde6baf Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 16:48:34 -0500 Subject: [PATCH 02/12] CISA KEV Support --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3013e2c..b267f27 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ See EPSS at [https://www.first.org/epss](https://www.first.org/epss). See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities). > **Note** -> The CISA KEV catalog is very limited when it comes to individual NPM packages. This is included for future updates to the tool. +> The CISA KEV catalog is very limited when it comes to individual NPM packages. This is included to support future use cases of the tool. ## Usage From 00b392a412493bb637593bf3bcbd500a0e0c0149 Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 16:56:28 -0500 Subject: [PATCH 03/12] CISA KEV Support --- README.md | 14 ++++++++------ bin/index.js | 10 +++++----- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index b267f27..1dd61aa 100644 --- a/README.md +++ b/README.md @@ -43,14 +43,16 @@ npx npm-epss-audit@latest ### Options ```bash -Usage: npm-epss-audit [-v|--verbose] [-r|--refresh] [-t|--threshold]] +Usage: npm-epss-audit [-v|--verbose] [-r|--refresh] [-f|--fail-on-past-duedate] [-t|--threshold] Options: - --version Show version number [boolean] - -v, --verbose Verbose output - -r, --refresh Refresh EPSS scores - -t, --threshold EPSS score threshold to fail the audit [number] [default: 0.0] - --help Show help [boolean] + --version Show version number [boolean] + -v, --verbose Verbose output + -r, --refresh Refresh EPSS scores + -f, --fail-on-past-duedate Fail on past due date + -t, --threshold EPSS score threshold to fail the audit + [number] [default: 0] + --help Show help [boolean] ``` diff --git a/bin/index.js b/bin/index.js index cc67cad..1893d0a 100644 --- a/bin/index.js +++ b/bin/index.js @@ -319,23 +319,23 @@ async function audit(verbose = false, threshold = 0.0, failOnPastDue = false) { const options = yargs .scriptName("npm-epss-audit") .usage( - "Usage: $0 [-v|--verbose] [-r|--refresh] [-t|--threshold]] [-f|--fail-on-past-duedate]" + "Usage: $0 [-v|--verbose] [-r|--refresh] [-f|--fail-on-past-duedate] [-t|--threshold]" ) .option("v", { alias: "verbose", describe: "Verbose output", }) .option("r", { alias: "refresh", describe: "Refresh EPSS scores" }) + .option("f", { + alias: "fail-on-past-duedate", + describe: "Fail on past due date", + }) .option("t", { alias: "threshold", describe: "EPSS score threshold to fail the audit", type: "number", default: 0.0, }) - .option("f", { - alias: "fail-on-past-duedate", - describe: "Fail on past due date", - }) .help(true).argv; await syncEpss(options.refresh); From aca378b3d4b5788517cf0f6a8db9a3cf012a019b Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 16:58:12 -0500 Subject: [PATCH 04/12] CISA KEV Support --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 1dd61aa..ba6b9c5 100644 --- a/README.md +++ b/README.md @@ -26,18 +26,18 @@ See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](h > Note: NPM Audit requires that all project dependencies are already installed and package-lock.json file exists. Make sure to install dependencies in the project before running the tool. -```bash -npm install -g npm-epss-audit@latest +### Usage via npx +```bash ## Run the tool in the project directory -npm-epss-audit +npx npm-epss-audit@latest ``` -### Usage via npx - ```bash +npm install -g npm-epss-audit@latest + ## Run the tool in the project directory -npx npm-epss-audit@latest +npm-epss-audit ``` ### Options From e3ac89bdaeb770db32933613b1649b0dfe8797fb Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 16:58:39 -0500 Subject: [PATCH 05/12] CISA KEV Support --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ba6b9c5..1dd6979 100644 --- a/README.md +++ b/README.md @@ -22,8 +22,6 @@ See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](h ## Usage -### Usage via global install option - > Note: NPM Audit requires that all project dependencies are already installed and package-lock.json file exists. Make sure to install dependencies in the project before running the tool. ### Usage via npx @@ -33,6 +31,8 @@ See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](h npx npm-epss-audit@latest ``` +### Usage via global install option + ```bash npm install -g npm-epss-audit@latest From dad63bb3bb09a31977f8192fa5fcb3abd5b3c1ca Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 16:59:08 -0500 Subject: [PATCH 06/12] CISA KEV Support --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1dd6979..74bd831 100644 --- a/README.md +++ b/README.md @@ -34,6 +34,7 @@ npx npm-epss-audit@latest ### Usage via global install option ```bash +## Install the tool globally npm install -g npm-epss-audit@latest ## Run the tool in the project directory From 89c1bffec61b8a5fc5a05ff7052c8d592bd4275c Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 17:01:40 -0500 Subject: [PATCH 07/12] CISA KEV Support --- README.md | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 74bd831..83d2d5c 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # NPM EPSS Audit -Currently NPM Audit reports severity of vulnerabilities based on the CVSS score. NPM bulk audit response do not include CVEs in the report as of May 2023. This interim tool uses the NPM Quick Audit end point to retrieve associated CVEs and reports corresponding EPSS scores to help prioritize vulnerabilities. +Currently NPM Audit reports severity of vulnerabilities based on the CVSS score. Also the response received from NPM bulk audit used within `npm audit` do not include CVEs in the report as of May 2023. This interim tool uses the NPM Quick Audit end point to retrieve associated CVEs and reports corresponding EPSS scores to help prioritize vulnerabilities. > **Note** > Now includes support to check if a CVE is included in the CISA Known Exploited Vulnerability (KEV) catalog. diff --git a/package.json b/package.json index fefc358..cbebc4c 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "npm-epss-audit", - "version": "0.0.11", + "version": "0.0.12", "description": "Use EPSS scores to prioritize NPM Audit findings", "main": "bin/index.js", "bin": { From 1ad22aec6d86bc50365c0214876745f4a74570a8 Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 17:03:04 -0500 Subject: [PATCH 08/12] CISA KEV Support --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 83d2d5c..20e5f88 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Currently NPM Audit reports severity of vulnerabilities based on the CVSS score. Also the response received from NPM bulk audit used within `npm audit` do not include CVEs in the report as of May 2023. This interim tool uses the NPM Quick Audit end point to retrieve associated CVEs and reports corresponding EPSS scores to help prioritize vulnerabilities. > **Note** -> Now includes support to check if a CVE is included in the CISA Known Exploited Vulnerability (KEV) catalog. +> Version 0.0.12+ includes support to check if a CVE is included in the CISA Known Exploited Vulnerability (KEV) catalog. ## About EPSS From 90033ed7b2648c1d8273c5e3603715ec8ff292a8 Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 17:03:59 -0500 Subject: [PATCH 09/12] CISA KEV Support --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 20e5f88..8eba881 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,8 @@ See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](h ## Usage -> Note: NPM Audit requires that all project dependencies are already installed and package-lock.json file exists. Make sure to install dependencies in the project before running the tool. +NPM Audit requires that all project dependencies are already installed and package-lock.json file exists. +Make sure to install dependencies in the project before running the tool. ### Usage via npx From f29832da01394b3e070097e3f43971b78a1ba8c9 Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 17:05:31 -0500 Subject: [PATCH 10/12] CISA KEV Support --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8eba881..00802c9 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ See EPSS at [https://www.first.org/epss](https://www.first.org/epss). ## About CISA Known Exploited Vulnerability (KEV) catalog -> For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. +> For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild: the Known Exploited Vulnerability (KEV) catalog. CISA strongly recommends all organizations review and monitor the KEV catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors. All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes. See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities). From f1f6e18161f0e3a8ce3afcfbcee6a4b60cda6ab2 Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 17:07:03 -0500 Subject: [PATCH 11/12] CISA KEV Support --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 00802c9..a0beba0 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ See EPSS at [https://www.first.org/epss](https://www.first.org/epss). See CISA KEV Catalog at [https://www.cisa.gov/known-exploited-vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities). -> **Note** +> **Warning** > The CISA KEV catalog is very limited when it comes to individual NPM packages. This is included to support future use cases of the tool. ## Usage From a46f570a85367b3d3e3fb1e96c224478c3899170 Mon Sep 17 00:00:00 2001 From: mkmurali Date: Wed, 31 May 2023 17:09:27 -0500 Subject: [PATCH 12/12] CISA KEV Support --- README.md | 5 ++++- bin/index.js | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a0beba0..236b011 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,7 @@ Options: --version Show version number [boolean] -v, --verbose Verbose output -r, --refresh Refresh EPSS scores - -f, --fail-on-past-duedate Fail on past due date + -f, --fail-on-past-duedate Fail on past CISA KVE due date -t, --threshold EPSS score threshold to fail the audit [number] [default: 0] --help Show help [boolean] @@ -66,6 +66,9 @@ For use in CI pipelines and automation tools, the tool will exit with the follow - 1: Failed to run due to errors or other configuration issues - 2: Ran successfully and vulnerabilities found that exceeded the EPSS Score threshold (default: 0.0, means all vulnerabilities are reported) +You may also use the `--fail-on-past-duedate` option to fail the audit if any of the vulnerabilities are past the CISA KEV due date or +set the `--threshold` option to a value of your choice greater than 0.0 to fail the audit if any of the vulnerabilities exceed the EPSS Score threshold. + ### Example output ```bash diff --git a/bin/index.js b/bin/index.js index 1893d0a..49de1c7 100644 --- a/bin/index.js +++ b/bin/index.js @@ -328,7 +328,7 @@ async function audit(verbose = false, threshold = 0.0, failOnPastDue = false) { .option("r", { alias: "refresh", describe: "Refresh EPSS scores" }) .option("f", { alias: "fail-on-past-duedate", - describe: "Fail on past due date", + describe: "Fail on past CISA KVE due date", }) .option("t", { alias: "threshold",