From 5b25e16cf9bc9d7a027906432370089230f2a273 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81ngel=20Riveira?=
 <61965217+arivra@users.noreply.github.com>
Date: Mon, 16 Sep 2024 04:24:36 +0200
Subject: [PATCH] manage not defined metadata in mitigations and add
 assumptions comments (#10897)

---
 dojo/tools/threat_composer/parser.py          | 21 +++++++++++++------
 .../threat_composer_many_threats.json         |  9 ++------
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/dojo/tools/threat_composer/parser.py b/dojo/tools/threat_composer/parser.py
index 1babba06fd..f1099641b0 100644
--- a/dojo/tools/threat_composer/parser.py
+++ b/dojo/tools/threat_composer/parser.py
@@ -70,12 +70,12 @@ def get_findings(self, file, test):
 
             if "threatAction" in threat:
                 title = threat["threatAction"]
-                severity, impact, comments = self.parse_threat_metadata(threat["metadata"])
+                severity, impact, comments = self.parse_threat_metadata(threat.get("metadata", []))
                 description = self.to_description_text(threat, comments, assumption_threat_links[threat["id"]])
                 mitigation = self.to_mitigation_text(mitigation_links[threat["id"]])
                 unique_id_from_tool = threat["id"]
                 vuln_id_from_tool = threat["numericId"]
-                tags = threat["tags"] if "tags" in threat else []
+                tags = threat.get("tags", [])
 
                 finding = Finding(
                     title=title,
@@ -112,14 +112,12 @@ def to_mitigation_text(self, mitigations):
             counti = i + 1
             text += f"**Mitigation {counti} (ID: {mitigation['numericId']}, Status: {mitigation.get('status', 'Not defined')})**: {mitigation['content']}"
 
-            for item in mitigation["metadata"]:
+            for item in mitigation.get("metadata", []):
                 if item["key"] == "Comments":
                     text += f"\n*Comments*: {item['value'].replace(linesep, ' ')} "
                     break
 
-            for j, assumption in enumerate(assumption_links):
-                countj = j + 1
-                text += f"\n- *Assumption {countj} (ID: {assumption['numericId']})*: {assumption['content'].replace(linesep, ' ')}"
+            text += self.to_assumption_text(assumption_links)
 
             text += "\n"
 
@@ -145,8 +143,19 @@ def to_description_text(self, threat, comments, assumption_links):
         if comments:
             text += f"\n*Comments*: {comments}"
 
+        text += self.to_assumption_text(assumption_links)
+
+        return text
+
+    def to_assumption_text(self, assumption_links):
+        text = ""
         for i, assumption in enumerate(assumption_links):
             counti = i + 1
             text += f"\n- *Assumption {counti} (ID: {assumption['numericId']})*: {assumption['content'].replace(linesep, ' ')}"
 
+            for item in assumption.get("metadata", []):
+                if item["key"] == "Comments":
+                    text += f"\n&nbsp;&nbsp;*Comments*: {item['value'].replace(linesep, ' ')} "
+                    break
+
         return text
diff --git a/unittests/scans/threat_composer/threat_composer_many_threats.json b/unittests/scans/threat_composer/threat_composer_many_threats.json
index cb61d880bd..6af441362e 100644
--- a/unittests/scans/threat_composer/threat_composer_many_threats.json
+++ b/unittests/scans/threat_composer/threat_composer_many_threats.json
@@ -94,13 +94,8 @@
         "tags": [
           "lorem ipsum"
         ],
-        "metadata": [
-          {
-            "key": "Comments",
-            "value": "lorem ipsum"
-          }
-        ],
-        "displayOrder": 21
+        "displayOrder": 21,
+        "status": "mitigationResolved"
       },
       {
         "id": "11fb1c71-42f0-4004-89a7-09d8bf6f8b11",