psyc/tests/test_map.py

"""Mapline tests — CVEResolver KEV cross-check."""

from __future__ import annotations

from psyc.lines.map import _looks_like_ip, kev_cve_set, resolve_cves
from psyc.models import Severity
from conftest import make_case


def test_kev_cve_set_only_from_kev_cases():
    kev = make_case(feed="cisa-kev", cves=["CVE-2026-0001"])
    urlhaus = make_case(feed="urlhaus", cves=["CVE-2099-9999"])  # not KEV-sourced
    assert kev_cve_set([kev, urlhaus]) == {"CVE-2026-0001"}


def test_resolve_cves_flags_and_escalates_non_kev_case():
    kev_set = {"CVE-2026-0001"}
    case = make_case(feed="urlhaus", cves=["CVE-2026-0001"], severity=Severity.LOW)
    resolve_cves(case, kev_set)
    assert case.source_metadata["kev_cves"] == "CVE-2026-0001"
    assert case.classification.severity is Severity.HIGH


def test_resolve_cves_does_not_escalate_kev_source_case():
    kev_set = {"CVE-2026-0001"}
    case = make_case(feed="cisa-kev", cves=["CVE-2026-0001"], severity=Severity.LOW)
    resolve_cves(case, kev_set)
    # its own CVE is in KEV by definition — no self-escalation
    assert case.classification.severity is Severity.LOW


def test_resolve_cves_noop_without_match():
    case = make_case(feed="urlhaus", cves=["CVE-2099-9999"], severity=Severity.MEDIUM)
    resolve_cves(case, {"CVE-2026-0001"})
    assert "kev_cves" not in case.source_metadata
    assert case.classification.severity is Severity.MEDIUM


def test_looks_like_ip():
    assert _looks_like_ip("8.8.8.8")
    assert not _looks_like_ip("example.com")
    assert not _looks_like_ip("999.1.1.1")