bug: Epss_Source.update_epss() missing 1 required positional argument: 'cursor'

[weichslgartner]

Description

In version 3.4 the download of EPSS data does not work. It seems

cve-bin-tool/cve_bin_tool/data_sources/epss_source.py

Line 155 in 8b3b32c

await self.update_epss()

calls

cve-bin-tool/cve_bin_tool/data_sources/epss_source.py

Line 42 in 8b3b32c

async def update_epss(self, cursor):

but does not provide the cursor argument.
With debug logs activated the log message in

cve-bin-tool/cve_bin_tool/data_sources/epss_source.py

Line 157 in 8b3b32c

self.LOGGER.debug(f"Error while fetching EPSS data: {e}")

does not get activated for me, but if I set a breakpoint I can see the Epss_Source.update_epss() missing 1 required positional argument: 'cursor' Exception. (also when I change the log message to error).

To reproduce

Steps to reproduce the behavior:

1. cve-bin-tool -l debug --update now

Expected behaviour: epss data should be downloaded, no error
Actual behaviour: ERROR CVEDB - Unable to fetch EPSS, skipping EPSS. epss_source.py:158

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version): 3.4
Installed from pypi or github?: pypi
Operating system: "5.4.0-193-generic #213-Ubuntu SMP Fri Aug 2 19:14:16 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux"
Python version (e.g. python3 --version): 3.11.10
Running in any particular CI environment we should know about? (e.g. Github Actions)

[terriko]

I think I see what happened here: when I moved epss into its own data source (so that it could be disabled correctly as the other data sources are) I missed the cursor setup that was previously happening just in cvedb. I need to think a bit about the best way to fix it (i.e. do we pass the cursor from cvedb or get it anew) but it's definitely a bug. And the fact that our own tests didn't find it is obnoxious so I need to think about how to ensure that this doesn't happen again. Thanks for finding the bug!

[weichslgartner]

Think the cursor is only need for EPSS_id_finder and this sets self.epss_metric_id and doesn't store directly in the db. The data only populated later and would be enough to add the epss_metric_id in

cve-bin-tool/cve_bin_tool/cvedb.py

Line 854 in 0405d52

def store_epss_data(self, epss_data):

as there the cursor is already present.
Regarding catching such errors, maybe the possible exceptions (timeout etc) could be handled different than the generic exceptions (which can be displayed as error log message).

[weichslgartner]

I implemented a proof of concept fix.
I initialized epps_metric_id to 1: https://github.com/weichslgartner/cve-bin-tool/blob/53bc4fab4d095da3a9b14051378b1fde2666d4b3/cve_bin_tool/data_sources/epss_source.py#L39
and then check later if it is really 1 in the database:
https://github.com/weichslgartner/cve-bin-tool/blob/53bc4fab4d095da3a9b14051378b1fde2666d4b3/cve_bin_tool/cvedb.py#L860

But while implementing I saw that it must always be 1:

cve-bin-tool/cve_bin_tool/cvedb.py

Line 618 in 0405d52

(1, "EPSS"),

An idea would to introduce a constant for the metric ids and use then the constant in epss_source

[weichslgartner]

Did the constant version here: https://github.com/weichslgartner/cve-bin-tool/tree/metric_id_constant

[terriko]

That sounds great! Did you want to do a pull request?

[weichslgartner]

Sure. :)