git.stella-ops.org/examples/policies/opa/epss-threshold_test.rego

# -----------------------------------------------------------------------------
# epss-threshold_test.rego
# Tests for EPSS threshold policy
# -----------------------------------------------------------------------------

package stellaops.gates.epss

import future.keywords.if

# Test allow - all CVEs below threshold
test_allow_below_threshold if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "epss_score": 0.3},
            {"cve_id": "CVE-2024-0002", "epss_score": 0.5}
        ],
        "config": {"epss_threshold": 0.6}
    }
}

# Test deny - CVE above threshold
test_deny_above_threshold if {
    not allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "epss_score": 0.3},
            {"cve_id": "CVE-2024-0002", "epss_score": 0.7}
        ],
        "config": {"epss_threshold": 0.6}
    }
}

# Test allow - empty findings
test_allow_empty_findings if {
    allow with input as {
        "cve_findings": [],
        "config": {"epss_threshold": 0.6}
    }
}

# Test environment override
test_environment_override if {
    not allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "epss_score": 0.4}
        ],
        "environment": "production",
        "config": {
            "epss_threshold": 0.6,
            "environments": {
                "production": {"epss_threshold": 0.3}
            }
        }
    }
}

# Test only_reachable filter
test_only_reachable_filters_unreachable if {
    allow with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "epss_score": 0.8, "is_reachable": false},
            {"cve_id": "CVE-2024-0002", "epss_score": 0.3, "is_reachable": true}
        ],
        "config": {"epss_threshold": 0.6, "only_reachable": true}
    }
}

# Test denial message content
test_deny_message_content if {
    msg := deny[_] with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-1234", "epss_score": 0.72}
        ],
        "config": {"epss_threshold": 0.6}
    }
    contains(msg, "CVE-2024-1234")
    contains(msg, "0.72")
}

# Test summary output
test_summary_structure if {
    s := summary with input as {
        "cve_findings": [
            {"cve_id": "CVE-2024-0001", "epss_score": 0.3},
            {"cve_id": "CVE-2024-0002", "epss_score": 0.7}
        ],
        "environment": "staging",
        "config": {"epss_threshold": 0.6}
    }
    s.total_cves == 2
    s.exceeding_count == 1
    s.threshold == 0.6
    s.environment == "staging"
}