fix: increase title truncation threshold from 150 to 500 characters

Per PR review feedback, expanded title field to use more of the
available 511 characters. Added test data with 627-char threat
to verify truncation behavior. Updated docs accordingly.

Authored by T. Walker - DefectDojo

Author: skywalke34

docs/content/supported_tools/parsers/file/iriusrisk.md

@@ -49,7 +49,7 @@ Sample IriusRisk scans can be found in the [sample scan data folder](https://git
 
 | Source Field             | DefectDojo Field     | Notes                                                                 |
 | ------------------------ | -------------------- | --------------------------------------------------------------------- |
-| Threat                   | title                | Truncated to 150 characters with "..." suffix if longer               |
+| Threat                   | title                | Truncated to 500 characters with "..." suffix if longer               |
 | Current Risk             | severity             | Mapped from IriusRisk risk levels to DefectDojo severity levels       |
 | Component                | component_name       | The affected asset or component from the threat model                 |
 | Threat                   | description          | Full threat text included as first line of structured description     |
@@ -99,7 +99,7 @@ Any unrecognized risk value defaults to Info. The mapping uses the "Current Risk
 
 ### Title Format
 
-Finding titles are derived from the "Threat" column. Threat descriptions longer than 150 characters are truncated to 147 characters with a "..." suffix appended. Shorter threat texts are used as-is without modification.
+Finding titles are derived from the "Threat" column. Threat descriptions longer than 500 characters are truncated to 497 characters with a "..." suffix appended. Shorter threat texts are used as-is without modification.
 
 ### Description Construction
 

dojo/tools/iriusrisk/parser.py

@@ -46,8 +46,8 @@ def get_findings(self, filename, test):
             mitre_reference = (row.get("MITRE reference") or "").strip()
             stride_lm = (row.get("STRIDE-LM") or "").strip()
 
-            # Title: truncate to 150 chars with ellipsis if needed
-            title = threat[:147] + "..." if len(threat) > 150 else threat
+            # Title: truncate to 500 chars with ellipsis if needed
+            title = threat[:497] + "..." if len(threat) > 500 else threat
 
             severity = SEVERITY_MAPPING.get(current_risk, "Info")
 

unittests/scans/iriusrisk/many_vulns.csv

@@ -5,3 +5,4 @@
 "app-srec-audit-events","Networking","Created by Rules Engine","Access to network traffic from other containers creates the potential for various types of attacks such as denial of service or spoofing attack","Planned mitigation: 0%. Mitigated: 100%. Unmitigated: 0%.","High","Very low","100%","Not tested","Not tested","Very low",,,
 "API BS Service Provider","General","Created by Rules Engine","An attacker injects, manipulates or forges malicious log entries in the log file, allowing her to mislead a log audit, cover traces of attack, or perform other malicious actions","Planned mitigation: 100%. Mitigated: 0%. Unmitigated: 0%.","Medium","Medium","0%","Not tested","Not tested","Very low","John Smith",,
 "Database Server","Data Storage","Created by Rules Engine","An attacker targets the database server to exfiltrate sensitive records","Planned mitigation: 0%. Mitigated: 0%. Unmitigated: 100%.","Critical","Critical","0%","Not tested","Not tested","Critical",,,
+"Web Application Frontend","Input Validation","Created by Rules Engine","An attacker exploits insufficient input validation across multiple entry points in the web application frontend to inject malicious payloads that bypass security controls and propagate through downstream services including the API gateway, message queue processors, database abstraction layer, and caching infrastructure, potentially leading to remote code execution, privilege escalation, data exfiltration, cross-site scripting, server-side request forgery, and other attack vectors that compromise the confidentiality, integrity, and availability of the entire application stack and its associated microservices architecture","Planned mitigation: 50%. Mitigated: 25%. Unmitigated: 25%.","High","High","25%","Not tested","Not tested","Medium",,"CWE-20","Information Disclosure"

unittests/tools/test_iriusrisk_parser.py

@@ -21,7 +21,7 @@ def test_parse_many_findings(self):
         with (get_unit_tests_scans_path("iriusrisk") / "many_vulns.csv").open(encoding="utf-8") as testfile:
             parser = IriusriskParser()
             findings = parser.get_findings(testfile, Test())
-            self.assertEqual(6, len(findings))
+            self.assertEqual(7, len(findings))
 
     def test_finding_severity_high(self):
         with (get_unit_tests_scans_path("iriusrisk") / "one_vuln.csv").open(encoding="utf-8") as testfile:
@@ -54,12 +54,13 @@ def test_finding_severity_critical(self):
             # Row 6 (index 5) has Current Risk = "Critical"
             self.assertEqual("Critical", findings[5].severity)
 
-    def test_finding_title_truncated_at_150_chars(self):
+    def test_finding_title_truncated_at_500_chars(self):
         with (get_unit_tests_scans_path("iriusrisk") / "many_vulns.csv").open(encoding="utf-8") as testfile:
             parser = IriusriskParser()
             findings = parser.get_findings(testfile, Test())
-            self.assertLessEqual(len(findings[4].title), 150)
-            self.assertTrue(findings[4].title.endswith("..."))
+            # Row 7 (index 6) has a threat longer than 500 characters
+            self.assertLessEqual(len(findings[6].title), 500)
+            self.assertTrue(findings[6].title.endswith("..."))
 
     def test_finding_title_not_truncated_when_short(self):
         with (get_unit_tests_scans_path("iriusrisk") / "one_vuln.csv").open(encoding="utf-8") as testfile: