feat: adding EPSS probability filter

[Rexbeast2]

fixes: #3243
And this also fixes a small typo error. propability -> probability. IG nobody noticed till now. sorry for this spelling error.😅

[codecov-commenter]

Codecov Report

Merging #3273 (591a670) into main (122f306) will increase coverage by 0.41%.
The diff coverage is 63.88%.

@@            Coverage Diff             @@
##             main    #3273      +/-   ##
==========================================
+ Coverage   80.62%   81.03%   +0.41%     
==========================================
  Files         724      724              
  Lines       11375    11400      +25     
  Branches     1551     1559       +8     
==========================================
+ Hits         9171     9238      +67     
+ Misses       1778     1738      -40     
+ Partials      426      424       -2     

Flag	Coverage Δ
longtests	80.51% <63.88%> (+4.86%)	⬆️
win-longtests	78.84% <63.88%> (+0.26%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
cve_bin_tool/cve_scanner.py	81.68% <36.36%> (-4.39%)	⬇️
cve_bin_tool/cli.py	66.48% <71.42%> (-0.57%)	⬇️
test/test_cli.py	87.53% <77.77%> (+1.40%)	⬆️

... and 7 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[anthonyharrison]

This should be LOGGER.debug (if at all) - we don't log the CVSS score for example

[anthonyharrison]

This should be LOGGER.debug (if at all) - we don't log the CVSS score for example

[anthonyharrison]

Suggest epss comparisons are > 1.0

[anthonyharrison]

There will always be a value for epss_percentile or epss_probability.

Do you not mean

if self.epss_percentile > 0 or self.epss_probability > 0:

[anthonyharrison]

This is only testing that the probability can't be < 0. Need to also add a test for > 100. Need ti find a way of actually testing the filtering as well.

[anthonyharrison]

This is only testing that the percentile can't be < 0. Need to also add a test for > 100. Need ti find a way of actually testing the filtering as well.

[anthonyharrison]

Need to test for an upper bound (> 100)

[terriko]

Looks like there's still some changes to be done here, such as changing the logger messages to debug. I'm just flagging this as needing changes to make it easier for me to triage the PR list.

[Rexbeast2]

@anthonyharrison, I have covered every change you suggested. If there is more, let me know.

[anthonyharrison]

There are no checks for the upper bound of the epss_percentile or epss_probability within the cli module.

Line 582 needs modifying to include a <=100 check. Similarly for the probaility.

Note that the help text for the epss-probability parameter mentions percentil. Should say probability

[Rexbeast2]

@anthonyharrison , the first line for epss_probability or percentile was converted from 0-100 to 0-1. If the given value were more than it. cve_scanner, the first line would find the value is more than it and return no cve. But still, I have added to check it for it.

[anthonyharrison]

@Rexbeast2 Thanks. I saw the check in cve_scanner but it meant an invalid value ( more than 100) was effectively silently ignored. Adding the check in the cli module is much better.

[terriko]

Okay, this looks like it's ready enough to merge. If there's still some smaller stuff that need fixing I think it can go in a refactor PR?