From cbbdd3e9d80f0e65cd99969abb5d34ffde5854b4 Mon Sep 17 00:00:00 2001
From: akshat-prosperr <akshat.pal@prosperr.io>
Date: Mon, 23 Feb 2026 13:36:34 +0530
Subject: [PATCH] Fix CWE related weakness parsing and add regression tests

---
 application/tests/cwe_parser_test.py          | 45 +++++++++++++++++++
 .../external_project_parsers/parsers/cwe.py   | 22 ++++++---
 2 files changed, 61 insertions(+), 6 deletions(-)

diff --git a/application/tests/cwe_parser_test.py b/application/tests/cwe_parser_test.py
index 2c0f72327..9dbaa71af 100644
--- a/application/tests/cwe_parser_test.py
+++ b/application/tests/cwe_parser_test.py
@@ -102,6 +102,51 @@ def iter_content(self, chunk_size=None):
             self.assertCountEqual(nodes[0].todict(), expected[0].todict())
             self.assertCountEqual(nodes[1].todict(), expected[1].todict())
 
+    def test_parse_related_weakness_handles_list(self) -> None:
+        parser = cwe.CWE()
+        cwe_node = defs.Standard(name="CWE", sectionID="1004", section="Test CWE")
+
+        with patch.object(
+            parser,
+            "link_to_related_cwe",
+            side_effect=lambda cwe, cache, related_id: cwe,
+        ) as mocked_link:
+            result = parser.parse_related_weakness(
+                cache=self.collection,
+                rw={
+                    "Related_Weakness": [
+                        {"@CWE_ID": "732"},
+                        {"@CWE_ID": "733"},
+                    ]
+                },
+                cwe=cwe_node,
+            )
+
+        self.assertIs(result, cwe_node)
+        self.assertEqual(mocked_link.call_count, 2)
+        mocked_link.assert_any_call(
+            cwe=cwe_node,
+            cache=self.collection,
+            related_id="732",
+        )
+        mocked_link.assert_any_call(
+            cwe=cwe_node,
+            cache=self.collection,
+            related_id="733",
+        )
+
+    def test_parse_related_weakness_returns_original_on_empty_input(self) -> None:
+        parser = cwe.CWE()
+        cwe_node = defs.Standard(name="CWE", sectionID="1004", section="Test CWE")
+
+        result = parser.parse_related_weakness(
+            cache=self.collection,
+            rw={},
+            cwe=cwe_node,
+        )
+
+        self.assertIs(result, cwe_node)
+
     CWE_xml = """<?xml version="1.0" encoding="UTF-8"?>
 <Weakness_Catalog Name="CWE" Version="4.10" Date="2023-01-31" xmlns="http://cwe.mitre.org/cwe-6"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
diff --git a/application/utils/external_project_parsers/parsers/cwe.py b/application/utils/external_project_parsers/parsers/cwe.py
index b0821aba5..0b30c06d6 100644
--- a/application/utils/external_project_parsers/parsers/cwe.py
+++ b/application/utils/external_project_parsers/parsers/cwe.py
@@ -2,7 +2,7 @@
 import os
 import tempfile
 import requests
-from typing import Dict
+from typing import Any, Dict
 from application.database import db
 from application.defs import cre_defs as defs
 import shutil
@@ -161,9 +161,19 @@ def register_cwe(self, cache: db.Node_collection, xml_file: str):
         return entries
 
     def parse_related_weakness(
-        self, cache: db.Node_collection, rw: Dict[str, Dict], cwe: defs.Standard
+        self, cache: db.Node_collection, rw: Dict[str, Any], cwe: defs.Standard
     ) -> defs.Standard:
-        cwe_entry = rw.get("Related_Weakness")
-        if isinstance(cwe_entry, Dict):
-            id = cwe_entry["@CWE_ID"]
-            return self.link_to_related_cwe(cwe=cwe, cache=cache, related_id=id)
+        cwe_entries = rw.get("Related_Weakness")
+        if isinstance(cwe_entries, Dict):
+            cwe_entries = [cwe_entries]
+
+        if isinstance(cwe_entries, list):
+            for cwe_entry in cwe_entries:
+                if isinstance(cwe_entry, Dict):
+                    related_id = cwe_entry.get("@CWE_ID")
+                    if related_id:
+                        cwe = self.link_to_related_cwe(
+                            cwe=cwe, cache=cache, related_id=related_id
+                        )
+
+        return cwe