From abd4fe7cf4422b3de80147c70db802ed3aa2579f Mon Sep 17 00:00:00 2001
From: Terri Oda <terri.oda@intel.com>
Date: Fri, 13 Sep 2024 13:59:03 -0700
Subject: [PATCH] fix: prepend justification to comments (#4442)

* workaround for #4439

I decided it was probably better to retain the 3.3 behaviour for now; we
can decide if that's the right choice for future releases later.

Signed-off-by: Terri Oda <terri.oda@intel.com>
---
 cve_bin_tool/vex_manager/parse.py | 5 +++++
 test/test_vex.py                  | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/cve_bin_tool/vex_manager/parse.py b/cve_bin_tool/vex_manager/parse.py
index e339114097..b58d1fe1e0 100644
--- a/cve_bin_tool/vex_manager/parse.py
+++ b/cve_bin_tool/vex_manager/parse.py
@@ -114,6 +114,11 @@ def __process_vulnerabilities(self, vulnerabilities) -> None:
             justification = vuln.get("justification")
             response = vuln.get("remediation")
             comments = vuln.get("comment")
+
+            # If the comment doesn't already have the justification prepended, add it
+            if comments and justification and not comments.startswith(justification):
+                comments = f"{justification}: {comments}"
+
             severity = vuln.get("severity")  # Severity is not available in Lib4VEX
             # Decode the bom reference for cyclonedx and purl for csaf and openvex
             product_info = None
diff --git a/test/test_vex.py b/test/test_vex.py
index a3d7861c37..34c4ed7c61 100644
--- a/test/test_vex.py
+++ b/test/test_vex.py
@@ -212,7 +212,7 @@ class TestVexParse:
             },
             "CVE-1234-1005": {
                 "remarks": Remarks.NotAffected,
-                "comments": "NotAffected: Detail field populated.",
+                "comments": "code_not_reachable: NotAffected: Detail field populated.",
                 "response": "will_not_fix",
                 "justification": "code_not_reachable",
             },