test(smoke): normalize volatile EPSS fields in golden comparison

[bomly-guy]

What

The scheduled Smoke workflow has been failing daily. One root cause: EPSS data is recomputed daily by FIRST.org, so the date, epss score, and percentile fields drift every day independent of any code change. There was no normalizer for them, so scan-go-reachability (and other enrich goldens carrying EPSS payloads) go stale on a daily cadence.

Change

Add normalizeEPSS to the normalizeJSON pipeline in test/smoke/helpers_test.go. It walks the JSON tree and, for every "epss" array, scrubs the three volatile fields:

• date → <normalized>
• epss (score) → 0
• percentile → 0

The cve id is preserved so the golden still proves the EPSS payload attached to the right advisory. The <normalized> placeholder matches the escaped form (<normalized>) already used across all 50 goldens.

Verification

• go vet -tags smoke ./test/smoke/ clean.
• Ran the normalizer against scan-go-reachability.golden.json: drifting date/score/percentile are scrubbed, cve preserved.

Follow-ups (not in this PR)

• Goldens still need regeneration (make smoke ARGS="-update") — this also folds in the stale GitHub Actions locations field from Annotate SARIF diff output and GitHub Actions locations #168.
• Python transitive version drift (scan-python-pip, scan-python-poetry, scan-python-pip-reachability) is a separate target-pinning issue (needs lockfiles on the example repos), addressed separately.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Tests
  • Added comprehensive test coverage for JSON normalization of EPSS fields, validating that volatile data points are properly stabilized.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8652b1cd-1e3e-4776-a806-28fdc7877724

📥 Commits

Reviewing files that changed from the base of the PR and between 327bc74 and 2b3868f.

📒 Files selected for processing (1)

• test/smoke/helpers_test.go

---

📝 Walkthrough

Walkthrough

normalizeJSON in the smoke-test helpers gains a normalizeEPSS step. Two new functions are added: normalizeEPSS walks the decoded JSON tree to find "epss" arrays, and scrubEPSSEntry replaces each entry's date, epss, and percentile fields with deterministic placeholders, leaving CVE identifier fields intact.

EPSS Normalization in Smoke-Test Helpers

Layer / File(s)	Summary
EPSS scrubbing helpers and normalizeJSON integration test/smoke/helpers_test.go	normalizeJSON calls normalizeEPSS to scrub volatile daily-changing fields; normalizeEPSS recurses the JSON tree to locate "epss" arrays, and scrubEPSSEntry overwrites date, epss, and percentile with stable placeholders.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and clearly describes the main change: normalizing volatile EPSS fields in the smoke test comparison pipeline, which is the core objective of this PR.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/dazzling-boyd-0ad93d

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Bomly Diff Summary

Compared 327bc742e28323febad1e719cf0e1f102b8351a0 to 2b3868fa8d358b4f03352486fe8018f077112315.

Overview

Status	Manifests	Dependencies	Findings	Duration
✅ Pass	+0 / ~0 / -0	+0 / ~0 / -0	0 introduced / 0 persisted / 0 resolved	71897ms

Dependency Changes

✅ No dependency changes.

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (or --matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.