Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow overriding Finding attributes in particular data flows (or other assets). For example, this allows to set custom responses, CVSS scores (added as new attrs) or increase/lower the severity. See the new test for usage examples.
If there's an override defined for a particular threat, it'll always be added as a finding, even if the threat no longer applies. This is to include all mitigations in a report. To remove the finding, remove the override.
Overrides are defined per element because otherwise the original threat should be adjusted.
Overrides can be defined in an asset and then they'd apply to all dataflows. For more granularity, they should be defined only in particular dataflows. There's a check to avoid having two overrides for the same threat, since it would be hard to debug why an override doesn't get applied when it would be overwritten by another one.