diff --git a/test/test_cli.py b/test/test_cli.py index d428f9dd43..69238d5b7a 100644 --- a/test/test_cli.py +++ b/test/test_cli.py @@ -506,6 +506,54 @@ def test_CVSS_score(self, capsys, caplog): my_test_filename_pathlib.unlink() caplog.clear() + def test_basic_epss(self, caplog): + # test EPSS functionality + # updates EPSS in db, scans sbom with EPSS enabled and writes EPSS to csv + with caplog.at_level(logging.ERROR): + epss_filename = "epss_test.csv" + epss_filename_pathlib = Path(epss_filename) + if epss_filename_pathlib.exists(): + epss_filename_pathlib.unlink() + SBOM_PATH = Path(__file__).parent.resolve() / "sbom" + # first let's check that sbom scan with epss enables and update of the epss source runs without error + with caplog.at_level(logging.ERROR): + main( + [ + "cve-bin-tool", + "--metrics", + "-u", + "never", + "--disable-data-source", + "OSV,GAD,REDHAT,PURL2CPE", + "-n", + "json", + "--sbom", + "cyclonedx", + "--sbom-file", + str(SBOM_PATH / "cyclonedx_test.json"), + "-f", + "csv", + "-o", + epss_filename, + ] + ) + assert ( + len(caplog.messages) == 0 + ), f"Error running basic epss with {';'.join(caplog.messages)}" + # as a second stept we check if there are EPSS values in the outputfile + content = epss_filename_pathlib.open(mode="r").read() + csv_rows = list(content.splitlines()) + assert len(csv_rows) > 0 + # row 0 is the header, row 1 should contain some EPSS values + # epss_percentile is the last value + assert csv_rows[0].split(",")[-1] == "epss_percentile" + assert 0.0 <= float(csv_rows[1].split(",")[-1]) <= 1.0 + # epss_probability second last value + assert csv_rows[0].split(",")[-2] == "epss_probability" + assert 0.0 <= float(csv_rows[1].split(",")[-2]) <= 1.0 + if epss_filename_pathlib.exists(): + epss_filename_pathlib.unlink() + def test_EPSS_probability(self, capsys, caplog): """scan with EPSS probability to ensure only CVEs above score threshold are reported Checks cannot placed on epss probability value as the value changes everyday