Using the information from cisa in grype

[tomerse-sg]

What would you like to be added:
CISA provided information regarding if vulnerabilities were exploit.
it will be helpful to present or use this kind of information in grype. I saw we already sync this kind of information from NVD.
link - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Why is this needed:

• prioritize vulnerabilities which were already exploit
• more data about known vulnerabilities
  Additional context:

[tomerse-sg]

is it possible to add it to the grype-db schema change that is planned in the future?
it can be a cool enrichment

[alonmaor]

this would be great a enrichment for the existing vulnerabilities
any update on this?

[tomerse-sg]

can be relevant for here? anchore/grype-db#108

[wagoodman]

Indeed it will be part of the DB v6 work, which is currently being designed (and this feature is already be incorporated from a schema perspective) 🎉 What will need to happen after the schema lands is to update vunnel/grype-db to slurp in the data and populate it into the DB.

[hieunguyentr92]

Hi @wagoodman, we are curious about when this feature is scheduled for implementation. Is there a potential timeline?

[wagoodman]

Right now we're working on releasing the v6 DB schema as the default schema in grype --this is a blocker to getting the cisa KEV data into the DB. The good news is that the v6 work will most likely be released this week if all goes well 🎉 ! I don't want to make any date promises but I think this could land on the order of weeks not months.