Skip to content

test(smoke): normalize volatile EPSS fields in golden comparison#176

Merged
bomly-guy merged 2 commits into
mainfrom
claude/dazzling-boyd-0ad93d
Jun 18, 2026
Merged

test(smoke): normalize volatile EPSS fields in golden comparison#176
bomly-guy merged 2 commits into
mainfrom
claude/dazzling-boyd-0ad93d

Conversation

@bomly-guy

@bomly-guy bomly-guy commented Jun 18, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

What

The scheduled Smoke workflow has been failing daily. One root cause: EPSS data is recomputed daily by FIRST.org, so the date, epss score, and percentile fields drift every day independent of any code change. There was no normalizer for them, so scan-go-reachability (and other enrich goldens carrying EPSS payloads) go stale on a daily cadence.

Change

Add normalizeEPSS to the normalizeJSON pipeline in test/smoke/helpers_test.go. It walks the JSON tree and, for every "epss" array, scrubs the three volatile fields:

  • date<normalized>
  • epss (score) → 0
  • percentile0

The cve id is preserved so the golden still proves the EPSS payload attached to the right advisory. The <normalized> placeholder matches the escaped form (<normalized>) already used across all 50 goldens.

Verification

  • go vet -tags smoke ./test/smoke/ clean.
  • Ran the normalizer against scan-go-reachability.golden.json: drifting date/score/percentile are scrubbed, cve preserved.

Follow-ups (not in this PR)

  • Goldens still need regeneration (make smoke ARGS="-update") — this also folds in the stale GitHub Actions locations field from Annotate SARIF diff output and GitHub Actions locations #168.
  • Python transitive version drift (scan-python-pip, scan-python-poetry, scan-python-pip-reachability) is a separate target-pinning issue (needs lockfiles on the example repos), addressed separately.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Tests
    • Added comprehensive test coverage for JSON normalization of EPSS fields, validating that volatile data points are properly stabilized.

@bomly-guy @claude
test(smoke): normalize volatile EPSS fields in golden comparison
0a2592b 
FIRST.org recomputes EPSS scores daily, so the model date, score, and
percentile in enrich/reachability output drift every day regardless of
the code under test. Left unnormalized they break smoke goldens (e.g.
scan-go-reachability) on a daily cadence.

Add normalizeEPSS to the normalizeJSON pipeline: scrub date, epss, and
percentile on every "epss" array while keeping the CVE id so the golden
still proves the EPSS payload attached to the right advisory.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 8652b1cd-1e3e-4776-a806-28fdc7877724

📥 Commits

Reviewing files that changed from the base of the PR and between 327bc74 and 2b3868f.

📒 Files selected for processing (1)
  • test/smoke/helpers_test.go
📝 Walkthrough

Walkthrough

normalizeJSON in the smoke-test helpers gains a normalizeEPSS step. Two new functions are added: normalizeEPSS walks the decoded JSON tree to find "epss" arrays, and scrubEPSSEntry replaces each entry's date, epss, and percentile fields with deterministic placeholders, leaving CVE identifier fields intact.

EPSS Normalization in Smoke-Test Helpers

Layer / File(s) Summary
EPSS scrubbing helpers and normalizeJSON integration
test/smoke/helpers_test.go		 normalizeJSON calls normalizeEPSS to scrub volatile daily-changing fields; normalizeEPSS recurses the JSON tree to locate "epss" arrays, and scrubEPSSEntry overwrites date, epss, and percentile with stable placeholders.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and clearly describes the main change: normalizing volatile EPSS fields in the smoke test comparison pipeline, which is the core objective of this PR.
Docstring Coverage ✅ Passed Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/dazzling-boyd-0ad93d

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bomly Diff Summary

Compared 327bc742e28323febad1e719cf0e1f102b8351a0 to 2b3868fa8d358b4f03352486fe8018f077112315.

Overview

Status Manifests Dependencies Findings Duration
✅ Pass +0 / ~0 / -0 +0 / ~0 / -0 0 introduced / 0 persisted / 0 resolved 71897ms

Dependency Changes

✅ No dependency changes.

Vulnerabilities

✅ No vulnerability changes.

License Changes

✅ No license changes.

Project Posture

✅ No project posture changes (or --matchers +scorecard was not selected).

Policy Findings

✅ No policy differences were identified.

@bomly-guy bomly-guy merged commit 9e7e2fe into main Jun 18, 2026
13 checks passed
@bomly-guy bomly-guy deleted the claude/dazzling-boyd-0ad93d branch June 18, 2026 18:03
@bomly-guy bomly-guy mentioned this pull request Jun 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bomly-guy