Threats seem to "come through" to inScope = False assets

[mikegorman-nf]

I was chasing down why "inScope = False" didn't seem to work, meaning that when I set it for an asset, the report using the provided advanced_template.md still had threats listed for the out of scope assets. What I have realized is that the threats are "coming through" from the previous asset.

In the threat model attached, if I set ctrl.inScope=False, the report shows the threats from the previous asset (HTTP). If I remove the setting so it goes back to the default True, it shows a different set of threats, more relevant to the actual asset settings. If I put all the inScope = False assets first, then I don't see anything "coming through" some asset has to populate the threat items.

frontdoor_threatModel.py

[shivachethanreddy]

I was able to reproduce this on the current main branch.

Using docs/advanced_template.md, an asset marked inScope = False still shows threats in the report.

In my reproduction, SQL Database shows In Scope | False but still lists 42 threats, which appear to be carried over from the previous in-scope asset.

This looks like a report-generation/state-leakage issue rather than a modeling error.

[shivachethanreddy]

Prevent out-of-scope threats from rendering in reports
Fix threat leakage into out-of-scope elements