fix: prepend justification to comments (#4442)

terriko · web-flow · commit abd4fe7cf442 · 2024-09-13T13:59:03.000-07:00
* workaround for #4439 I decided it was probably better to retain the 3.3 behaviour for now; we can decide if that's the right choice for future releases later. Signed-off-by: Terri Oda <terri.oda@intel.com>
diff --git a/cve_bin_tool/vex_manager/parse.py b/cve_bin_tool/vex_manager/parse.py
@@ -114,6 +114,11 @@ def __process_vulnerabilities(self, vulnerabilities) -> None:
             justification = vuln.get("justification")
             response = vuln.get("remediation")
             comments = vuln.get("comment")
+
+            # If the comment doesn't already have the justification prepended, add it
+            if comments and justification and not comments.startswith(justification):
+                comments = f"{justification}: {comments}"
+
             severity = vuln.get("severity")  # Severity is not available in Lib4VEX
             # Decode the bom reference for cyclonedx and purl for csaf and openvex
             product_info = None
diff --git a/test/test_vex.py b/test/test_vex.py
@@ -212,7 +212,7 @@ class TestVexParse:
             },
             "CVE-1234-1005": {
                 "remarks": Remarks.NotAffected,
-                "comments": "NotAffected: Detail field populated.",
+                "comments": "code_not_reachable: NotAffected: Detail field populated.",
                 "response": "will_not_fix",
                 "justification": "code_not_reachable",
             },
