Skip to content

Commit 29fbdc1

Browse files
In scope=false assets fix (#312)
Summary: This PR fixes issue #310, where threat findings from out-of-scope elements were still rendered in generated reports. The fix centralizes scope filtering inside ReportUtils and updates all report templates to use scope-safe helper methods, preventing accidental leakage of findings. What was changed Code: 1)pytm/report_util.py Added helper methods that return only in-scope findings Introduced scope-safe accessors for: >threat ID >description >target >severity >references Prevented templates from directly iterating over raw item.findings Templates: 1)docs/basic_template.md 2)docs/advanced_template.md 3)docs/reveal.md All templates were updated to: >Stop accessing item.findings, item.id, item.target, etc. directly >Use ReportUtils helper methods instead (for example: getInScopeFindings, getThreatId, etc.) >This ensures consistent and safe behavior across all report formats. Why this fixes the bug: >Previously, report templates accessed findings directly, bypassing scope checks. This caused out-of-scope threats to appear in reports, even when elements were explicitly marked inScope = False. With this change: >Scope filtering is enforced in one centralized location >Templates cannot accidentally leak out-of-scope findings >All report types behave consistently How this was verified Generated reports using: >docs/basic_template.md >docs/advanced_template.md >docs/reveal.md Verified that: >No templates reference item.findings, item.id, item.target, or item.severity >Out-of-scope elements do not render findings >In-scope elements render findings correctly >Existing report structure remains unchanged aside from the bug fix >Commits included >Fix threat leakage into out-of-scope elements >Prevent out-of-scope threats from rendering in reports (Commits can be squashed if preferred.) Notes: >No functional behavior outside report rendering was changed >No new dependencies were added >Changes are strictly limited to what is required to fix issue #310
1 parent 54affa2 commit 29fbdc1

File tree

4 files changed

+207
-140
lines changed

4 files changed

+207
-140
lines changed

docs/advanced_template.md

Lines changed: 64 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -30,33 +30,33 @@ Name|Description|Classification|Carried|Processed
3030
Name|{{item.name}}
3131
|:----|:----|
3232
Description|{{item.description}}|
33-
Is Admin|{{item.isAdmin}}
33+
Is Admin|{{item.isAdmin}}|
3434
Finding Count|{{item:call:getFindingCount}}|
3535

36-
{{item.findings:if:
37-
36+
{{item:call:getInScopeFindings:
3837
**Threats**
3938

40-
{{item.findings:repeat:
4139
<details>
42-
<summary> {{{{item.id}}}} -- {{{{item.threat_id}}}} -- {{{{item.description}}}}</summary>
40+
<summary>
41+
{{item:call:getThreatId}} — {{item:call:getFindingDescription}}
42+
</summary>
43+
4344
<h6> Targeted Element </h6>
44-
<p> {{{{item.target}}}} </p>
45+
<p>{{item:call:getFindingTarget}}</p>
4546
<h6> Severity </h6>
46-
<p>{{{{item.severity}}}}</p>
47+
<p>{{item:call:getFindingSeverity}}</p>
4748
<h6>Example Instances</h6>
48-
<p>{{{{item.example}}}}</p>
49+
<p>{{item:call:getFindingExample}}</p>
4950
<h6>Mitigations</h6>
50-
<p>{{{{item.mitigations}}}}</p>
51+
<p>{{item:call:getFindingMitigations}}</p>
5152
<h6>References</h6>
52-
<p>{{{{item.references}}}}</p>
53+
<p>{{item:call:getFindingReferences}}</p>
5354
&emsp;
5455
</details>
5556
}}
56-
}}
5757
}
5858

59-
## Boundaries
59+
## Boundaries
6060

6161
{boundaries:repeat:
6262
Name|{{item.name}}
@@ -68,30 +68,29 @@ All Parents|{{item.parents:call:{{{{item.display_name:call:}}}}, }}|
6868
Classification|{{item.maxClassification}}|
6969
Finding Count|{{item:call:getFindingCount}}|
7070

71-
{{item.findings:if:
72-
71+
{{item:call:getInScopeFindings:
7372
**Threats**
7473

75-
{{item.findings:repeat:
7674
<details>
77-
<summary> {{{{item.id}}}} -- {{{{item.threat_id}}}} -- {{{{item.description}}}}</summary>
78-
<h6> Targeted Element </h6>
79-
<p> {{{{item.target}}}} </p>
80-
<h6> Severity </h6>
81-
<p>{{{{item.severity}}}}</p>
75+
<summary>
76+
{{item:call:getThreatId}} — {{item:call:getFindingDescription}}
77+
</summary>
78+
<h6>Targeted Element</h6>
79+
<p>{{item:call:getFindingTarget}}</p>
80+
<h6>Severity</h6>
81+
<p>{{item:call:getFindingSeverity}}</p>
8282
<h6>Example Instances</h6>
83-
<p>{{{{item.example}}}}</p>
83+
<p>{{item:call:getFindingExample}}</p>
8484
<h6>Mitigations</h6>
85-
<p>{{{{item.mitigations}}}}</p>
85+
<p>{{item:call:getFindingMitigations}}</p>
8686
<h6>References</h6>
87-
<p>{{{{item.references}}}}</p>
88-
&emsp;
87+
<p>{{item:call:getFindingReferences}}</p>
8988
</details>
9089
}}
91-
}}
9290
}
9391

94-
## Assets
92+
93+
## Assets
9594

9695
{assets:repeat:
9796
Name|{{item.name}}|
@@ -101,30 +100,29 @@ In Scope|{{item.inScope}}|
101100
Type|{{item:call:getElementType}}|
102101
Finding Count|{{item:call:getFindingCount}}|
103102

104-
{{item.findings:if:
105-
103+
{{item:call:getInScopeFindings:
106104
**Threats**
107105

108-
{{item.findings:repeat:
109106
<details>
110-
<summary> {{{{item.id}}}} -- {{{{item.threat_id}}}} -- {{{{item.description}}}}</summary>
111-
<h6> Targeted Element </h6>
112-
<p> {{{{item.target}}}} </p>
113-
<h6> Severity </h6>
114-
<p>{{{{item.severity}}}}</p>
107+
<summary>
108+
{{item:call:getThreatId}} — {{item:call:getFindingDescription}}
109+
</summary>
110+
<h6>Targeted Element</h6>
111+
<p>{{item:call:getFindingTarget}}</p>
112+
<h6>Severity</h6>
113+
<p>{{item:call:getFindingSeverity}}</p>
115114
<h6>Example Instances</h6>
116-
<p>{{{{item.example}}}}</p>
115+
<p>{{item:call:getFindingExample}}</p>
117116
<h6>Mitigations</h6>
118-
<p>{{{{item.mitigations}}}}</p>
117+
<p>{{item:call:getFindingMitigations}}</p>
119118
<h6>References</h6>
120-
<p>{{{{item.references}}}}</p>
121-
&nbsp;
119+
<p>{{item:call:getFindingReferences}}</p>
122120
</details>
123121
}}
124-
}}
125122
}
126123

127-
## Data Flows
124+
125+
## Data Flows
128126

129127
{dataflows:repeat:
130128
Name|{{item.name}}
@@ -136,50 +134,51 @@ Is Response|{{item.isResponse}}|
136134
In Scope|{{item.inScope}}|
137135
Finding Count|{{item:call:getFindingCount}}|
138136

139-
{{item.findings:if:
140-
137+
{{item:call:getInScopeFindings:
141138
**Threats**
142139

143-
{{item.findings:repeat:
144140
<details>
145-
<summary> {{{{item.id}}}} -- {{{{item.threat_id}}}} -- {{{{item.description}}}}</summary>
146-
<h6> Targeted Element </h6>
147-
<p> {{{{item.target}}}} </p>
148-
<h6> Severity </h6>
149-
<p>{{{{item.severity}}}}</p>
141+
<summary>
142+
{{item:call:getThreatId}} — {{item:call:getFindingDescription}}
143+
</summary>
144+
<h6>Targeted Element</h6>
145+
<p>{{item:call:getFindingTarget}}</p>
146+
<h6>Severity</h6>
147+
<p>{{item:call:getFindingSeverity}}</p>
150148
<h6>Example Instances</h6>
151-
<p>{{{{item.example}}}}</p>
149+
<p>{{item:call:getFindingExample}}</p>
152150
<h6>Mitigations</h6>
153-
<p>{{{{item.mitigations}}}}</p>
151+
<p>{{item:call:getFindingMitigations}}</p>
154152
<h6>References</h6>
155-
<p>{{{{item.references}}}}</p>
156-
&emsp;
153+
<p>{{item:call:getFindingReferences}}</p>
157154
</details>
158155
}}
159-
}}
160156
}
161157

158+
162159
{tm.excluded_findings:if:
163160
# Excluded Threats
164161
}
165162

166163
{tm.excluded_findings:repeat:
167164
<details>
168-
<summary> {{item.id}} -- {{item.threat_id}} -- {{item.description}}</summary>
169-
<p>**{{item.threat_id}}** was excluded for **{{item.target}}** because of the assumption: "{{item.assumption.name}}
170-
"</p>
165+
<summary>
166+
{{item:call:getThreatId}} — {{item:call:getFindingDescription}}
167+
</summary>
168+
<p>
169+
<b>{{item:call:getThreatId}}</b> was excluded for
170+
<b>{{item:call:getFindingTarget}}</b>
171+
because of the assumption "{{item.assumption.name}}"
172+
</p>
171173
{{item.assumption.description:if:
172-
<h6> Assumption description </h6>
173-
<p> {{item.assumption.description}} </p>
174+
<h6>Assumption description</h6>
175+
<p>{{item.assumption.description}}</p>
174176
}}
175-
176-
<h6> Targeted Element </h6>
177-
<p> {{item.target}} </p>
178-
<h6> Severity </h6>
179-
<p>{{item.severity}}</p>
177+
<h6>Severity</h6>
178+
<p>{{item:call:getFindingSeverity}}</p>
180179
<h6>Example Instances</h6>
181-
<p>{{item.example}}</p>
180+
<p>{{item:call:getFindingExample}}</p>
182181
<h6>References</h6>
183-
<p>{{item.references}}</p>
182+
<p>{{item:call:getFindingReferences}}</p>
184183
</details>
185184
}

docs/basic_template.md

Lines changed: 20 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -49,21 +49,29 @@ Name|Description|Classification
4949
&nbsp;
5050
&nbsp;
5151

52-
|{findings:repeat:
52+
{findings:repeat:
5353
<details>
54-
<summary> {{item.threat_id}} -- {{item.description}}</summary>
55-
<h6> Targeted Element </h6>
56-
<p> {{item.target}} </p>
57-
<h6> Severity </h6>
58-
<p>{{item.severity}}</p>
54+
<summary>
55+
{{item:call:getThreatId}} — {{item:call:getFindingDescription}}
56+
</summary>
57+
58+
<h6>Targeted Element</h6>
59+
<p>{{item:call:getFindingTarget}}</p>
60+
61+
<h6>Severity</h6>
62+
<p>{{item:call:getFindingSeverity}}</p>
63+
5964
<h6>Example Instances</h6>
60-
<p>{{item.example}}</p>
65+
<p>{{item:call:getFindingExample}}</p>
66+
6167
<h6>Mitigations</h6>
62-
<p>{{item.mitigations}}</p>
68+
<p>{{item:call:getFindingMitigations}}</p>
69+
6370
<h6>References</h6>
64-
<p>{{item.references}}</p>
65-
&nbsp;
71+
<p>{{item:call:getFindingReferences}}</p>
72+
6673
&nbsp;
67-
&emsp;
6874
</details>
69-
}|
75+
}||
76+
77+

0 commit comments

Comments
 (0)