In scope=false assets fix (#312)

Summary:

This PR fixes issue #310, where threat findings from out-of-scope
elements were still rendered in generated reports.

The fix centralizes scope filtering inside ReportUtils and updates all
report templates to use scope-safe helper methods, preventing accidental
leakage of findings.

What was changed
 Code:
1)pytm/report_util.py
Added helper methods that return only in-scope findings

Introduced scope-safe accessors for:

>threat ID
>description
>target
>severity
>references
Prevented templates from directly iterating over raw item.findings

 Templates:

1)docs/basic_template.md
2)docs/advanced_template.md
3)docs/reveal.md

All templates were updated to:

>Stop accessing item.findings, item.id, item.target, etc. directly
>Use ReportUtils helper methods instead (for example:
getInScopeFindings, getThreatId, etc.)
>This ensures consistent and safe behavior across all report formats.

Why this fixes the bug:

>Previously, report templates accessed findings directly, bypassing
scope checks.
This caused out-of-scope threats to appear in reports, even when
elements were explicitly marked inScope = False.

With this change:

>Scope filtering is enforced in one centralized location
>Templates cannot accidentally leak out-of-scope findings
>All report types behave consistently

How this was verified

Generated reports using:

>docs/basic_template.md
>docs/advanced_template.md
>docs/reveal.md

Verified that:

>No templates reference item.findings, item.id, item.target, or
item.severity
>Out-of-scope elements do not render findings
>In-scope elements render findings correctly
>Existing report structure remains unchanged aside from the bug fix
>Commits included
>Fix threat leakage into out-of-scope elements
>Prevent out-of-scope threats from rendering in reports
(Commits can be squashed if preferred.)

Notes:

>No functional behavior outside report rendering was changed
>No new dependencies were added
>Changes are strictly limited to what is required to fix issue #310

Author: shivachethanreddy

docs/advanced_template.md

@@ -30,33 +30,33 @@ Name|Description|Classification|Carried|Processed
 Name|{{item.name}}
 |:----|:----|
 Description|{{item.description}}|
-Is Admin|{{item.isAdmin}}
+Is Admin|{{item.isAdmin}}|
 Finding Count|{{item:call:getFindingCount}}|
 
-{{item.findings:if:
-
+{{item:call:getInScopeFindings:
 **Threats**
 
-{{item.findings:repeat:
 <details>
-  <summary>   {{{{item.id}}}}  --  {{{{item.threat_id}}}}   --   {{{{item.description}}}}</summary>
+  <summary>
+   {{item:call:getThreatId}} — {{item:call:getFindingDescription}}
+  </summary>
+
   <h6> Targeted Element </h6>
-  <p> {{{{item.target}}}} </p>
+  <p>{{item:call:getFindingTarget}}</p>
   <h6> Severity </h6>
-  <p>{{{{item.severity}}}}</p>
+  <p>{{item:call:getFindingSeverity}}</p>
   <h6>Example Instances</h6>
-  <p>{{{{item.example}}}}</p>
+  <p>{{item:call:getFindingExample}}</p>
   <h6>Mitigations</h6>
-  <p>{{{{item.mitigations}}}}</p>
+  <p>{{item:call:getFindingMitigations}}</p>
   <h6>References</h6>
-  <p>{{{{item.references}}}}</p>
+  <p>{{item:call:getFindingReferences}}</p>
   &emsp;
 </details>
 }}
-}}
 }
 
-## Boundaries 
+## Boundaries
 
 {boundaries:repeat:
 Name|{{item.name}}
@@ -68,30 +68,29 @@ All Parents|{{item.parents:call:{{{{item.display_name:call:}}}}, }}|
 Classification|{{item.maxClassification}}|
 Finding Count|{{item:call:getFindingCount}}|
 
-{{item.findings:if:
-
+{{item:call:getInScopeFindings:
 **Threats**
 
-{{item.findings:repeat:
 <details>
-  <summary>   {{{{item.id}}}}  --  {{{{item.threat_id}}}}   --   {{{{item.description}}}}</summary>
-  <h6> Targeted Element </h6>
-  <p> {{{{item.target}}}} </p>
-  <h6> Severity </h6>
-  <p>{{{{item.severity}}}}</p>
+  <summary>
+    {{item:call:getThreatId}} — {{item:call:getFindingDescription}}
+  </summary>
+  <h6>Targeted Element</h6>
+  <p>{{item:call:getFindingTarget}}</p>
+  <h6>Severity</h6>
+  <p>{{item:call:getFindingSeverity}}</p>
   <h6>Example Instances</h6>
-  <p>{{{{item.example}}}}</p>
+  <p>{{item:call:getFindingExample}}</p>
   <h6>Mitigations</h6>
-  <p>{{{{item.mitigations}}}}</p>
+  <p>{{item:call:getFindingMitigations}}</p>
   <h6>References</h6>
-  <p>{{{{item.references}}}}</p>
-  &emsp;
+  <p>{{item:call:getFindingReferences}}</p>
 </details>
 }}
-}}
 }
 
-## Assets 
+
+## Assets
 
 {assets:repeat:
 Name|{{item.name}}|
@@ -101,30 +100,29 @@ In Scope|{{item.inScope}}|
 Type|{{item:call:getElementType}}|
 Finding Count|{{item:call:getFindingCount}}|
 
-{{item.findings:if:
-
+{{item:call:getInScopeFindings:
 **Threats**
 
-{{item.findings:repeat:
 <details>
-  <summary>   {{{{item.id}}}}  --  {{{{item.threat_id}}}}   --   {{{{item.description}}}}</summary>
-  <h6> Targeted Element </h6>
-  <p> {{{{item.target}}}} </p>
-  <h6> Severity </h6>
-  <p>{{{{item.severity}}}}</p>
+  <summary>
+    {{item:call:getThreatId}} — {{item:call:getFindingDescription}}
+  </summary>
+  <h6>Targeted Element</h6>
+  <p>{{item:call:getFindingTarget}}</p>
+  <h6>Severity</h6>
+  <p>{{item:call:getFindingSeverity}}</p>
   <h6>Example Instances</h6>
-  <p>{{{{item.example}}}}</p>
+  <p>{{item:call:getFindingExample}}</p>
   <h6>Mitigations</h6>
-  <p>{{{{item.mitigations}}}}</p>
+  <p>{{item:call:getFindingMitigations}}</p>
   <h6>References</h6>
-  <p>{{{{item.references}}}}</p>
-  &nbsp;
+  <p>{{item:call:getFindingReferences}}</p>
 </details>
 }}
-}}
 }
 
-## Data Flows 
+
+## Data Flows
 
 {dataflows:repeat:
 Name|{{item.name}}
@@ -136,50 +134,51 @@ Is Response|{{item.isResponse}}|
 In Scope|{{item.inScope}}|
 Finding Count|{{item:call:getFindingCount}}|
 
-{{item.findings:if:
-
+{{item:call:getInScopeFindings:
 **Threats**
 
-{{item.findings:repeat:
 <details>
-  <summary>   {{{{item.id}}}}  --  {{{{item.threat_id}}}}   --   {{{{item.description}}}}</summary>
-  <h6> Targeted Element </h6>
-  <p> {{{{item.target}}}} </p>
-  <h6> Severity </h6>
-  <p>{{{{item.severity}}}}</p>
+  <summary>
+    {{item:call:getThreatId}} — {{item:call:getFindingDescription}}
+  </summary>
+  <h6>Targeted Element</h6>
+  <p>{{item:call:getFindingTarget}}</p>
+  <h6>Severity</h6>
+  <p>{{item:call:getFindingSeverity}}</p>
   <h6>Example Instances</h6>
-  <p>{{{{item.example}}}}</p>
+  <p>{{item:call:getFindingExample}}</p>
   <h6>Mitigations</h6>
-  <p>{{{{item.mitigations}}}}</p>
+  <p>{{item:call:getFindingMitigations}}</p>
   <h6>References</h6>
-  <p>{{{{item.references}}}}</p>
-  &emsp;
+  <p>{{item:call:getFindingReferences}}</p>
 </details>
 }}
-}}
 }
 
+
 {tm.excluded_findings:if:
 # Excluded Threats
 }
 
 {tm.excluded_findings:repeat:
 <details>
-  <summary>  {{item.id}}  --  {{item.threat_id}}   --   {{item.description}}</summary>
-  <p>**{{item.threat_id}}** was excluded for **{{item.target}}** because of the assumption: "{{item.assumption.name}}
-"</p>
+  <summary>
+    {{item:call:getThreatId}} — {{item:call:getFindingDescription}}
+  </summary>
+  <p>
+    <b>{{item:call:getThreatId}}</b> was excluded for
+    <b>{{item:call:getFindingTarget}}</b>
+    because of the assumption "{{item.assumption.name}}"
+  </p>
   {{item.assumption.description:if:
-    <h6> Assumption description </h6>
-    <p> {{item.assumption.description}} </p>  
+  <h6>Assumption description</h6>
+  <p>{{item.assumption.description}}</p>
   }}
-
-  <h6> Targeted Element </h6>
-  <p> {{item.target}} </p>
-  <h6> Severity </h6>
-  <p>{{item.severity}}</p>
+  <h6>Severity</h6>
+  <p>{{item:call:getFindingSeverity}}</p>
   <h6>Example Instances</h6>
-  <p>{{item.example}}</p>
+  <p>{{item:call:getFindingExample}}</p>
   <h6>References</h6>
-  <p>{{item.references}}</p>
+  <p>{{item:call:getFindingReferences}}</p>
 </details>
 }

docs/basic_template.md

@@ -49,21 +49,29 @@ Name|Description|Classification
  
  
 
-|{findings:repeat:
+{findings:repeat:
 <details>
-  <summary>   {{item.threat_id}}   --   {{item.description}}</summary>
-  <h6> Targeted Element </h6>
-  <p> {{item.target}} </p>
-  <h6> Severity </h6>
-  <p>{{item.severity}}</p>
+  <summary>
+    {{item:call:getThreatId}} — {{item:call:getFindingDescription}}
+  </summary>
+
+  <h6>Targeted Element</h6>
+  <p>{{item:call:getFindingTarget}}</p>
+
+  <h6>Severity</h6>
+  <p>{{item:call:getFindingSeverity}}</p>
+
   <h6>Example Instances</h6>
-  <p>{{item.example}}</p>
+  <p>{{item:call:getFindingExample}}</p>
+
   <h6>Mitigations</h6>
-  <p>{{item.mitigations}}</p>
+  <p>{{item:call:getFindingMitigations}}</p>
+
   <h6>References</h6>
-  <p>{{item.references}}</p>
-  &nbsp;
+  <p>{{item:call:getFindingReferences}}</p>
+
   &nbsp;
-  &emsp;
 </details>
-}|
+}||
+
+