cve-bin-tool v3.4 doesnt handle exploitable / requires_environment correctly

[tzirn]

Description

when the input vex/json triage file has an analysis of state=exploitable and justification=requires_environment the tool doesnt handle the update of the "details" field correctly.
in 3.3 for all combos I have and in 3.4 for all other combos of state and justification the details field is updated correctly upon original run, and then subsequent runs they are not updated. However with this combintion of values it adds to the front of the details field every time.
ORIGINAL input triage file entry referenced below:
{
"bom-ref": "[email protected]",
"id": "CVE-2020-27209",
"source": {
"name": "NVD",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27209"
},
"description": "The ECDSA operation of the micro-ecc library 1.0 is vulnerable to simple power analysis attacks which allows an adversary to extract the private ECC key.",
"published": "2024-09-24T09:50:03Z",
"updated": "2024-09-24T09:50:03Z",
"analysis": {
"state": "exploitable",
"detail": "No vulnerability impact since to exploit the vulnerability, an attacker needs physical access to the device, etc etc etc",
"justification": "requires_environment",
"response": [
"workaround_available"
]
},

To reproduce

Steps to reproduce the behavior:

1. have a triage file with the original CVE analysis in it as shown above in cve-bin-tool_triageFile.json

2. run this command: cve-bin-tool -i test_SBOM.csv --vex-file cve-bin-tool_triageFile.json -f csv,html --vex-output triage0924a.json

3. see triage0924a.json correctly updated the detail to:
   "detail": "Confirmed: requires_environment: No vulnerability impact since to exploit the vulnerability, an attacker needs physical access to the device, etc etc etc.",

4. run the command again with --vex-output triage0924b.json

5. see the triage0924b.json added the fields in again:
   "detail": "Confirmed: requires_environment: Confirmed: requires_environment: No vulnerability impact since to exploit the vulnerability, an attacker needs physical access to the device, etc etc etc.

Expected behavior: tool should add the string Confirmed: requires_environment: into the details field only the 1st time and recognize when it's already there after that
Actual behavior: tool keeps adding the string Confirmed: requires_environment: into the details field under this combination of data over and over.
Again this doesn't happen with other combinations I have. just this one.

Version/platform info

Version of CVE-bin-tool: 3.4
Installed from pypi or github?
Operating system: Linux/Windows: Windows 10

On Windows you can run systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19042 N/A Build 19042
Python version (e.g. python3 --version): v3.12.0
Running in any particular CI environment we should know about? N/A

Anything else?

v3.4 also started changing the Response of "workaround_available" to "w" - not sure why

@terriko this is further item found while I test v3.4 that is different than v3.3

[terriko]

Weird. @mastersans and @anthonyharrison -- any idea what's happening here?