-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: adding EPSS probability filter #3273
Conversation
Codecov Report
@@ Coverage Diff @@
## main #3273 +/- ##
==========================================
+ Coverage 80.62% 81.03% +0.41%
==========================================
Files 724 724
Lines 11375 11400 +25
Branches 1551 1559 +8
==========================================
+ Hits 9171 9238 +67
+ Misses 1778 1738 -40
+ Partials 426 424 -2
Flags with carried forward coverage won't be shown. Click here to find out more.
... and 7 files with indirect coverage changes 📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
cve_bin_tool/cli.py
Outdated
@@ -575,6 +581,12 @@ def main(argv=None): | |||
epss_percentile = 0 | |||
if float(args["epss_percentile"]) > 0: | |||
epss_percentile = float(args["epss_percentile"]) / 100 | |||
LOGGER.critical(f"epss percentile stored {epss_percentile}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be LOGGER.debug (if at all) - we don't log the CVSS score for example
cve_bin_tool/cli.py
Outdated
epss_probability = 0 | ||
if float(args["epss_probability"]) > 0: | ||
epss_probability = float(args["epss_probability"]) / 100 | ||
LOGGER.critical(f"epss percentile stored {epss_probability}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be LOGGER.debug (if at all) - we don't log the CVSS score for example
cve_bin_tool/cve_scanner.py
Outdated
if self.score > 10: | ||
return | ||
if self.epss_percentile > 100: | ||
if self.score > 10 or self.epss_probability > 1 or self.epss_percentile > 1: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggest epss comparisons are > 1.0
cve_bin_tool/cve_scanner.py
Outdated
@@ -274,7 +276,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData): | |||
value[1], | |||
] | |||
# checking if epss percentile filter is applied | |||
if self.epss_percentile: | |||
if self.epss_percentile or self.epss_probability: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There will always be a value for epss_percentile or epss_probability.
Do you not mean
if self.epss_percentile > 0 or self.epss_probability > 0:
@@ -484,6 +484,38 @@ def test_CVSS_score(self, capsys, caplog): | |||
my_test_filename_pathlib.unlink() | |||
caplog.clear() | |||
|
|||
def test_EPSS_probability(self, capsys, caplog): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only testing that the probability can't be < 0. Need to also add a test for > 100. Need ti find a way of actually testing the filtering as well.
caplog.clear() | ||
if my_test_filename_pathlib.exists(): | ||
my_test_filename_pathlib.unlink() | ||
|
||
def test_EPSS_percentile(self, capsys, caplog): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is only testing that the percentile can't be < 0. Need to also add a test for > 100. Need ti find a way of actually testing the filtering as well.
cve_bin_tool/cli.py
Outdated
@@ -575,6 +581,12 @@ def main(argv=None): | |||
epss_percentile = 0 | |||
if float(args["epss_percentile"]) > 0: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to test for an upper bound (> 100)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like there's still some changes to be done here, such as changing the logger messages to debug. I'm just flagging this as needing changes to make it easier for me to triage the PR list.
@anthonyharrison, I have covered every change you suggested. If there is more, let me know. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are no checks for the upper bound of the epss_percentile or epss_probability within the cli module.
Line 582 needs modifying to include a <=100 check. Similarly for the probaility.
Note that the help text for the epss-probability parameter mentions percentil. Should say probability
@anthonyharrison , the first line for epss_probability or percentile was converted from 0-100 to 0-1. If the given value were more than it. cve_scanner, the first line would find the value is more than it and return no cve. But still, I have added to check it for it. |
@Rexbeast2 Thanks. I saw the check in cve_scanner but it meant an invalid value ( more than 100) was effectively silently ignored. Adding the check in the cli module is much better. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, this looks like it's ready enough to merge. If there's still some smaller stuff that need fixing I think it can go in a refactor PR?
fixes: #3243
And this also fixes a small typo error. propability -> probability. IG nobody noticed till now. sorry for this spelling error.😅