Updated risk.Visit() to not always re-open risks

[peter-kwan]

The Hackerone integration started a new pattern where some risks it ingests would already be in the Remediated status.

At risk.Visit(), the logic assumes if a risk show up again, it is actually a new pop. This is true for our scanners. But won't always be for integrations where we are going to ingest remediated risks. We started to do that as we want the data, not just to ingest the risks to triage them.

Linear

Fix the second bug in this ticket: https://linear.app/praetorianlabs/issue/ENG-1645/hackerone-integration-bugs-in-fox

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

[github-actions]

Claude finished @peter-kwan's task —— View job

---

Code Review Analysis

Todo List:

• Read modified Go files to understand changes
• Analyze significance of code changes
• Check for automated test coverage
• Format and post review findings

---

Has Go, TypeScript, or Python Changes: Yes
Has Significant Changes: Yes
Has Automated Tests: Yes

Findings

• Critical Logic Fix: Line 126 in risk.go adds condition && !n.Is(Remediated) preventing unnecessary status changes when both existing and incoming risks are already remediated
• Addresses Integration Issue: Fixes HackerOne integration problem where remediated risks were being incorrectly reopened during ingestion
• Proper Test Coverage: New test TestRisk_Visit_ShouldKeepRemediated specifically validates the fixed behavior
• Minimal Surface Area: Change affects only the Visit() method with surgical precision

Recommendations

• Consider Edge Cases: Test behavior when existing risk is remediated but incoming has different severity levels
• Integration Testing: Verify HackerOne integration no longer incorrectly reopens remediated risks in production
• Documentation: Consider adding inline comment explaining the remediation preservation logic
• Monitor Metrics: Track frequency of remediated→open transitions to validate fix effectiveness

---

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

Walkthrough

Timestamp header comments updated in two Python model files. In Go, Risk.Visit behavior changed: when the existing risk status is Remediated, it now transitions to Open only if the incoming risk is not Remediated. Tests were adjusted and expanded: import order changed, a merge-related test was renamed and expanded, and a new TestRisk_VisitRemediatedRisks suite with two subtests was added.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch peter/dont-always-reopen

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/model/model/risk_test.go (1)

241-365: Fix typo in test name (“Bahaviors” → “Behaviors”).

Minor, but it improves searchability and clarity.

♻️ Proposed rename

-func TestRisk_MoreMergeBahaviors(t *testing.T) {
+func TestRisk_MoreMergeBehaviors(t *testing.T) {