manage not defined metadata in mitigations and add assumptions comments (#10897)

arivra · web-flow · commit 0063e1c22c48 · 2024-09-15T21:24:36.000-05:00
diff --git a/dojo/tools/threat_composer/parser.py b/dojo/tools/threat_composer/parser.py
@@ -70,12 +70,12 @@ def get_findings(self, file, test):
 
             if "threatAction" in threat:
                 title = threat["threatAction"]
-                severity, impact, comments = self.parse_threat_metadata(threat["metadata"])
+                severity, impact, comments = self.parse_threat_metadata(threat.get("metadata", []))
                 description = self.to_description_text(threat, comments, assumption_threat_links[threat["id"]])
                 mitigation = self.to_mitigation_text(mitigation_links[threat["id"]])
                 unique_id_from_tool = threat["id"]
                 vuln_id_from_tool = threat["numericId"]
-                tags = threat["tags"] if "tags" in threat else []
+                tags = threat.get("tags", [])
 
                 finding = Finding(
                     title=title,
@@ -112,14 +112,12 @@ def to_mitigation_text(self, mitigations):
             counti = i + 1
             text += f"**Mitigation {counti} (ID: {mitigation['numericId']}, Status: {mitigation.get('status', 'Not defined')})**: {mitigation['content']}"
 
-            for item in mitigation["metadata"]:
+            for item in mitigation.get("metadata", []):
                 if item["key"] == "Comments":
                     text += f"\n*Comments*: {item['value'].replace(linesep, ' ')} "
                     break
 
-            for j, assumption in enumerate(assumption_links):
-                countj = j + 1
-                text += f"\n- *Assumption {countj} (ID: {assumption['numericId']})*: {assumption['content'].replace(linesep, ' ')}"
+            text += self.to_assumption_text(assumption_links)
 
             text += "\n"
 
@@ -145,8 +143,19 @@ def to_description_text(self, threat, comments, assumption_links):
         if comments:
             text += f"\n*Comments*: {comments}"
 
+        text += self.to_assumption_text(assumption_links)
+
+        return text
+
+    def to_assumption_text(self, assumption_links):
+        text = ""
         for i, assumption in enumerate(assumption_links):
             counti = i + 1
             text += f"\n- *Assumption {counti} (ID: {assumption['numericId']})*: {assumption['content'].replace(linesep, ' ')}"
 
+            for item in assumption.get("metadata", []):
+                if item["key"] == "Comments":
+                    text += f"\n&nbsp;&nbsp;*Comments*: {item['value'].replace(linesep, ' ')} "
+                    break
+
         return text
diff --git a/unittests/scans/threat_composer/threat_composer_many_threats.json b/unittests/scans/threat_composer/threat_composer_many_threats.json
@@ -94,13 +94,8 @@
         "tags": [
           "lorem ipsum"
         ],
-        "metadata": [
-          {
-            "key": "Comments",
-            "value": "lorem ipsum"
-          }
-        ],
-        "displayOrder": 21
+        "displayOrder": 21,
+        "status": "mitigationResolved"
       },
       {
         "id": "11fb1c71-42f0-4004-89a7-09d8bf6f8b11",
