fix: prepend justification to comments (#4442)

* workaround for #4439 I decided it was probably better to retain the 3.3 behaviour for now; we can decide if that's the right choice for future releases later. Signed-off-by: Terri Oda <[email protected]>
intel · Sep 13, 2024 · abd4fe7 · abd4fe7
1 parent 5c3e103
commit abd4fe7
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/cve_bin_tool/vex_manager/parse.py b/cve_bin_tool/vex_manager/parse.py
@@ -114,6 +114,11 @@ def __process_vulnerabilities(self, vulnerabilities) -> None:
             justification = vuln.get("justification")
             response = vuln.get("remediation")
             comments = vuln.get("comment")
+
+            # If the comment doesn't already have the justification prepended, add it
+            if comments and justification and not comments.startswith(justification):
+                comments = f"{justification}: {comments}"
+
             severity = vuln.get("severity")  # Severity is not available in Lib4VEX
             # Decode the bom reference for cyclonedx and purl for csaf and openvex
             product_info = None

diff --git a/test/test_vex.py b/test/test_vex.py
@@ -212,7 +212,7 @@ class TestVexParse:
             },
             "CVE-1234-1005": {
                 "remarks": Remarks.NotAffected,
-                "comments": "NotAffected: Detail field populated.",
+                "comments": "code_not_reachable: NotAffected: Detail field populated.",
                 "response": "will_not_fix",
                 "justification": "code_not_reachable",
             },