From be7f04245e2f6347425e0a9909efe4be85ac8be8 Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fabrice.fontaine@orange.com>
Date: Tue, 19 Dec 2023 21:23:46 +0100
Subject: [PATCH] Enable metrics if epss-{percentile,probability} is set

Enable metrics if epss-percentile or epss-probability is set by the user
(i.e. is above 0). This commit also fix this following broken logic
which allowed negative epss values:

if float(args["epss_percentile"]) > 0 or float(args["epss_percentile"]) < 100:

replaced by:

if float(args["epss_percentile"]) > 0 and float(args["epss_percentile"]) <= 100:

Tentative fix for #3625

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
---
 cve_bin_tool/cli.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/cve_bin_tool/cli.py b/cve_bin_tool/cli.py
index b1a619d28f..dfaeff1fdd 100644
--- a/cve_bin_tool/cli.py
+++ b/cve_bin_tool/cli.py
@@ -589,13 +589,16 @@ def main(argv=None):
     if int(args["cvss"]) > 0:
         score = int(args["cvss"])
 
+    metrics = args["metrics"]
     epss_percentile = 0
-    if float(args["epss_percentile"]) > 0 or float(args["epss_percentile"]) < 100:
+    if float(args["epss_percentile"]) > 0 and float(args["epss_percentile"]) <= 100:
+        metrics = True
         epss_percentile = float(args["epss_percentile"]) / 100
         LOGGER.debug(f"epss percentile stored {epss_percentile}")
 
     epss_probability = 0
-    if float(args["epss_probability"]) > 0 or float(args["epss_probability"]) < 100:
+    if float(args["epss_probability"]) > 0 and float(args["epss_probability"]) <= 100:
+        metrics = True
         epss_probability = float(args["epss_probability"]) / 100
         LOGGER.debug(f"epss probability stored {epss_probability}")
 
@@ -899,7 +902,7 @@ def main(argv=None):
 
     with CVEScanner(
         score=score,
-        check_metrics=args["metrics"],
+        check_metrics=metrics,
         epss_percentile=epss_percentile,
         epss_probability=epss_probability,
         check_exploits=args["exploits"],
@@ -1024,7 +1027,7 @@ def main(argv=None):
             merge_report=merged_reports,
             affected_versions=args["affected_versions"],
             exploits=args["exploits"],
-            metrics=args["metrics"],
+            metrics=metrics,
             detailed=args["detailed"],
             vex_filename=args["vex"],
             sbom_filename=args["sbom_output"],