From 69aa0a6d4cab6abc91c1b1ea14dd1771ed4e3419 Mon Sep 17 00:00:00 2001
From: Dakes <daniel.ostertag@dakes.de>
Date: Tue, 18 Jun 2024 15:23:13 +0200
Subject: [PATCH 1/3] Fix cvss and response overwrite

---
 pytm/pytm.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pytm/pytm.py b/pytm/pytm.py
index 3bd7333..f9b7bc3 100644
--- a/pytm/pytm.py
+++ b/pytm/pytm.py
@@ -2024,6 +2024,8 @@ def encode_threat_data(obj):
         "threat_id",
         "references",
         "condition",
+        "cvss",
+        "response",
     ]
 
     if type(obj) is Finding or (len(obj) != 0 and type(obj[0]) is Finding):
@@ -2039,7 +2041,8 @@ def encode_threat_data(obj):
                 # ignore missing attributes, since this can be called
                 # on both a Finding and a Threat
                 continue
-            setattr(t, a, html.escape(v))
+            if v is not None:
+                setattr(t, a, html.escape(v))
 
         encoded_threat_data.append(t)
 

From 4feea397c20bb6efb2b267a6ad5d7835487213d7 Mon Sep 17 00:00:00 2001
From: Dakes <daniel.ostertag@dakes.de>
Date: Fri, 21 Jun 2024 12:18:46 +0200
Subject: [PATCH 2/3] Add test for encode_threat_data and cvss override

---
 tests/test_private_func.py | 40 ++++++++++++++++++++++++++++++++++++++
 tests/test_pytmfunc.py     | 18 +++++++++++++----
 2 files changed, 54 insertions(+), 4 deletions(-)

diff --git a/tests/test_private_func.py b/tests/test_private_func.py
index 3e9aea2..4ce0816 100644
--- a/tests/test_private_func.py
+++ b/tests/test_private_func.py
@@ -10,10 +10,12 @@
     Dataflow,
     Datastore,
     DatastoreType,
+    Finding,
     Process,
     Server,
     Threat,
     UIError,
+    encode_threat_data,
 )
 
 
@@ -245,3 +247,41 @@ def test_defaults(self):
                     case["condition"],
                 ),
             )
+
+
+class TestFunction(unittest.TestCase):
+    def test_encode_threat_data(self):
+        findings = [
+            Finding(
+                description="A test description",
+                severity="High",
+                id="1",
+                threat_id="INP01",
+                cvss="9.876",
+                response="A test response",
+            ),
+            Finding(
+                description="An escape test <script>",
+                severity="Medium",
+                id="2",
+                threat_id="INP02",
+                cvss="1.234",
+                response="A test response",
+                assumption=Assumption("Test Assumption", exclude=["INP02"]),
+            )
+        ]
+        encoded_findings = encode_threat_data(findings)
+
+        self.assertEqual(len(encoded_findings), 2)
+        self.assertEqual(encoded_findings[0].description, "A test description")
+        self.assertEqual(encoded_findings[0].severity, "High")
+        self.assertEqual(encoded_findings[0].id, "1")
+        self.assertEqual(encoded_findings[0].threat_id, "INP01")
+        self.assertEqual(encoded_findings[0].cvss, "9.876")
+        self.assertEqual(encoded_findings[0].response, "A test response")
+        self.assertEqual(encoded_findings[1].description, "An escape test &lt;script&gt;")
+        self.assertEqual(encoded_findings[1].severity, "Medium")
+        self.assertEqual(encoded_findings[1].id, "2")
+        self.assertEqual(encoded_findings[1].threat_id, "INP02")
+        self.assertEqual(encoded_findings[1].cvss, "1.234")
+        self.assertEqual(encoded_findings[1].response, "A test response")
diff --git a/tests/test_pytmfunc.py b/tests/test_pytmfunc.py
index 2abf72d..f94d042 100644
--- a/tests/test_pytmfunc.py
+++ b/tests/test_pytmfunc.py
@@ -294,7 +294,11 @@ def test_overrides(self):
         web = Server(
             "Web Server",
             overrides=[
-                Finding(threat_id="Server", response="mitigated by adding TLS"),
+                Finding(
+                    threat_id="Server",
+                    response="mitigated by adding TLS",
+                    cvss="1.234",
+                ),
             ],
         )
         db = Datastore(
@@ -304,6 +308,7 @@ def test_overrides(self):
                 Finding(
                     threat_id="Datastore",
                     response="accepted since inside the trust boundary",
+                    cvss="9.876",
                 ),
             ],
         )
@@ -327,10 +332,18 @@ def test_overrides(self):
         self.assertEqual(
             [f.response for f in web.findings], ["mitigated by adding TLS"]
         )
+        self.assertEqual(
+            [f.cvss for f in web.findings],
+            ["1.234"],
+        )
         self.assertEqual(
             [f.response for f in db.findings],
             ["accepted since inside the trust boundary"],
         )
+        self.assertEqual(
+            [f.cvss for f in db.findings],
+            ["9.876"],
+        )
 
     def test_json_dumps(self):
         random.seed(0)
@@ -435,9 +448,6 @@ def test_report(self):
         self.assertTrue(tm.check())
         output = tm.report("docs/basic_template.md")
 
-        with open(os.path.join(output_path, "output_current.md"), "w") as x:
-            x.write(output)
-
         with open(os.path.join(output_path, "output_current.md"), "w") as x:
             x.write(output)
 

From e12dc89733ba94608413061c750ce4a3e49d8893 Mon Sep 17 00:00:00 2001
From: Dakes <daniel.ostertag@dakes.de>
Date: Fri, 21 Jun 2024 12:20:18 +0200
Subject: [PATCH 3/3] Fix findings reset, if inScope is False

---
 pytm/pytm.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pytm/pytm.py b/pytm/pytm.py
index a9e3544..a711687 100644
--- a/pytm/pytm.py
+++ b/pytm/pytm.py
@@ -859,6 +859,7 @@ def resolve(self):
         elements = defaultdict(list)
         for e in TM._elements:
             if not e.inScope:
+                e.findings = findings
                 continue
 
             override_ids = set(f.threat_id for f in e.overrides)