test: basic execution test for EPSS #4484

test/test_cli.py

@@ -506,6 +506,72 @@ def test_CVSS_score(self, capsys, caplog):
             my_test_filename_pathlib.unlink()
         caplog.clear()
 
+    def test_basic_epss(self, caplog):
+        # test EPSS functionality
+        # updates EPSS in db, scans sbom with EPSS enabled and writes EPSS to csv
+        with caplog.at_level(logging.ERROR):
+            epss_filename = "epss_test.csv"
+            epss_filename_pathlib = Path(epss_filename)
+            if epss_filename_pathlib.exists():
+                epss_filename_pathlib.unlink()
+            SBOM_PATH = Path(__file__).parent.resolve() / "sbom"
+            # first let's check that sbom scan with epss enables and update of the epss source runs without error
+            with caplog.at_level(logging.ERROR):
+                main(
+                    [
+                        "cve-bin-tool",
+                        "--metrics",
+                        "-u",
+                        "never",
+                        "--disable-data-source",
+                        "OSV,GAD,REDHAT,PURL2CPE",
+                        "-n",
+                        "json",
+                        "--sbom",
+                        "cyclonedx",
+                        "--sbom-file",
+                        str(SBOM_PATH / "cyclonedx_test.json"),
+                        "-f",
+                        "csv",
+                        "-o",
+                        epss_filename,
+                    ]
+                )
+                assert (
+                    len(caplog.messages) == 0
+                ), f"Error running basic epss with {';'.join(caplog.messages)}"
+            # as a second stept we check if there are EPSS values in the outputfile
+            content = epss_filename_pathlib.open(mode="r", newline="").read()
+            # filter out empty lines under windows
+            csv_rows = content.splitlines()
+            assert len(csv_rows) > 0
+            # row 0 is the header,
+            # vendor,product,version,location,cve_number,severity,score,source,cvss_version,cvss_vector,paths,
+            # remarks,comments,epss_probability,epss_percentile
+            row_zero = csv_rows[0].split(",")
+            # row 1 should contain some EPSS values
+            # gnu,glibc,2.11.1,NotFound,CVE-2009-5029,MEDIUM,6.8,NVD,2,AV:N/AC:M/Au:N/C:P/I:P/A:P,,
+            # NewFound,,0.00801,0.82134
+            row_one = csv_rows[1].split(",")
+            # epss_percentile is the last value
+            assert row_zero[-1] == "epss_percentile", (
+                "last header value in produced csv file must be " "'epss_percentile'"
+            )
+
+            assert len(row_one) == 15, "one csv row should have 15 values"
+            assert (
+                0.0 <= float(row_one[-1]) <= 1.0
+            ), "last value in the row must be the epss percentile value, i.e., a floating point between 0.0 and 1.0"
+            # epss_probability second last value
+            assert (
+                row_zero[-2] == "epss_probability"
+            ), "second last header value in produced csv file must be 'epss_probability'"
+            assert (
+                0.0 <= float(row_one[-2]) <= 1.0
+            ), "last value in the row must be the epss  probability value, i.e., a floating point between 0.0 and 1.0"
+            if epss_filename_pathlib.exists():
+                epss_filename_pathlib.unlink()
+
     def test_EPSS_probability(self, capsys, caplog):
         """scan with EPSS probability to ensure only CVEs above score threshold are reported
         Checks cannot placed on epss probability value as the value changes everyday