Skip to content

Commit

Permalink
test: basic execution test for EPSS #4484 (#4510)
Browse files Browse the repository at this point in the history 
* test: basic execution test for EPSS #4484

Add a test to the cli tests to check the EPSS functionality:
It first tests if the update of EPSS source runs without errors
(regression test for #4473).
Then checks for an example SBOM if EPSS values are written to csv report.

* test: Added sugestion to use -u never instead of -u now

* Adds better assert messages on failure and filters out empty lines in windows csv files cause by double newlines in csv file

---------

Co-authored-by: Terri Oda <terri.oda@intel.com>
  • Loading branch information
@weichslgartner @terriko
weichslgartner and terriko authored Dec 18, 2024
1 parent 707d110 commit 8791957
Showing 1 changed file with 66 additions and 0 deletions.
66 changes: 66 additions & 0 deletions test/test_cli.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -506,6 +506,72 @@ def test_CVSS_score(self, capsys, caplog):
my_test_filename_pathlib.unlink()
caplog.clear()

def test_basic_epss(self, caplog):
# test EPSS functionality
# updates EPSS in db, scans sbom with EPSS enabled and writes EPSS to csv
with caplog.at_level(logging.ERROR):
epss_filename = "epss_test.csv"
epss_filename_pathlib = Path(epss_filename)
if epss_filename_pathlib.exists():
epss_filename_pathlib.unlink()
SBOM_PATH = Path(__file__).parent.resolve() / "sbom"
# first let's check that sbom scan with epss enables and update of the epss source runs without error
with caplog.at_level(logging.ERROR):
main(
[
"cve-bin-tool",
"--metrics",
"-u",
"never",
"--disable-data-source",
"OSV,GAD,REDHAT,PURL2CPE",
"-n",
"json",
"--sbom",
"cyclonedx",
"--sbom-file",
str(SBOM_PATH / "cyclonedx_test.json"),
"-f",
"csv",
"-o",
epss_filename,
]
)
assert (
len(caplog.messages) == 0
), f"Error running basic epss with {';'.join(caplog.messages)}"
# as a second stept we check if there are EPSS values in the outputfile
content = epss_filename_pathlib.open(mode="r", newline="").read()
# filter out empty lines under windows
csv_rows = content.splitlines()
assert len(csv_rows) > 0
# row 0 is the header,
# vendor,product,version,location,cve_number,severity,score,source,cvss_version,cvss_vector,paths,
# remarks,comments,epss_probability,epss_percentile
row_zero = csv_rows[0].split(",")
# row 1 should contain some EPSS values
# gnu,glibc,2.11.1,NotFound,CVE-2009-5029,MEDIUM,6.8,NVD,2,AV:N/AC:M/Au:N/C:P/I:P/A:P,,
# NewFound,,0.00801,0.82134
row_one = csv_rows[1].split(",")
# epss_percentile is the last value
assert row_zero[-1] == "epss_percentile", (
"last header value in produced csv file must be " "'epss_percentile'"
)

assert len(row_one) == 15, "one csv row should have 15 values"
assert (
0.0 <= float(row_one[-1]) <= 1.0
), "last value in the row must be the epss percentile value, i.e., a floating point between 0.0 and 1.0"
# epss_probability second last value
assert (
row_zero[-2] == "epss_probability"
), "second last header value in produced csv file must be 'epss_probability'"
assert (
0.0 <= float(row_one[-2]) <= 1.0
), "last value in the row must be the epss probability value, i.e., a floating point between 0.0 and 1.0"
if epss_filename_pathlib.exists():
epss_filename_pathlib.unlink()

def test_EPSS_probability(self, capsys, caplog):
"""scan with EPSS probability to ensure only CVEs above score threshold are reported
Checks cannot placed on epss probability value as the value changes everyday
Expand Down

0 comments on commit 8791957

Please sign in to comment.