Enable metrics if epss-{percentile,probability} is set

Enable metrics if epss-percentile or epss-probability is set by the user
(i.e. is above 0). This commit also fix this following broken logic
which allowed negative epss values:

if float(args["epss_percentile"]) > 0 or float(args["epss_percentile"]) < 100:

replaced by:

if float(args["epss_percentile"]) > 0 and float(args["epss_percentile"]) <= 100:

Tentative fix for intel#3625

Signed-off-by: Fabrice Fontaine <[email protected]>

cve_bin_tool/cli.py

@@ -589,13 +589,16 @@ def main(argv=None):
     if int(args["cvss"]) > 0:
         score = int(args["cvss"])
 
+    metrics = args["metrics"]
     epss_percentile = 0
-    if float(args["epss_percentile"]) > 0 or float(args["epss_percentile"]) < 100:
+    if float(args["epss_percentile"]) > 0 and float(args["epss_percentile"]) <= 100:
+        metrics = True
         epss_percentile = float(args["epss_percentile"]) / 100
         LOGGER.debug(f"epss percentile stored {epss_percentile}")
 
     epss_probability = 0
-    if float(args["epss_probability"]) > 0 or float(args["epss_probability"]) < 100:
+    if float(args["epss_probability"]) > 0 and float(args["epss_probability"]) <= 100:
+        metrics = True
         epss_probability = float(args["epss_probability"]) / 100
         LOGGER.debug(f"epss probability stored {epss_probability}")
 
@@ -899,7 +902,7 @@ def main(argv=None):
 
     with CVEScanner(
         score=score,
-        check_metrics=args["metrics"],
+        check_metrics=metrics,
         epss_percentile=epss_percentile,
         epss_probability=epss_probability,
         check_exploits=args["exploits"],
@@ -1024,7 +1027,7 @@ def main(argv=None):
             merge_report=merged_reports,
             affected_versions=args["affected_versions"],
             exploits=args["exploits"],
-            metrics=args["metrics"],
+            metrics=metrics,
             detailed=args["detailed"],
             vex_filename=args["vex"],
             sbom_filename=args["sbom_output"],