Skip to content

Fix #10268: Make Finding Group filter context-aware (Test/Engagement/Product) #14271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AbhimanyuGit2507 wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Fix #10268: Make Finding Group filter context-aware (Test/Engagement/Product) #14271

AbhimanyuGit2507 wants to merge 2 commits into from
+382 −34

Conversation

@AbhimanyuGit2507
Copy link

@AbhimanyuGit2507 AbhimanyuGit2507 commented Feb 9, 2026

Description

Fixes #10268 — the Finding Group filter displayed groups from unrelated Tests or Engagements when viewing findings within a specific context.

This PR makes the Finding Group filter context-aware so that the dropdown only shows relevant groups:

  • Test view: only groups belonging to that test
  • Engagement view: groups from tests in that engagement
  • Product view: groups from tests in that product
  • Global findings view: all authorized finding groups (unchanged behavior)

Implementation details

  • Added a helper function to build a Finding Group queryset based on context (test → engagement → product → global).
  • Passed engagement and test context from finding views into the filter.
  • Updated both FindingFilter and FindingFilterWithoutObjectLookups to ensure consistent behavior.
  • Authorization is applied after context filtering, following the same pattern used in finding groups: filter by product if applicable #12711.
  • Added minor query optimization to load only required fields for the dropdown.
  • No model changes or migrations were introduced.

Test results

Added unit tests in dojo/unittests/test_finding_group_filter_context.py covering:

  • Filtering in Test context
  • Filtering in Engagement context
  • Filtering in Product context
  • Global context behavior
  • Hierarchy precedence (test > engagement > product)
  • Behavior of both filter classes

All tests pass locally.

Documentation

No documentation updates required. This change corrects filter behavior without altering user workflows or APIs.

Checklist

  • Make sure to rebase your PR against the very latest dev.
  • Bugfix submitted against the correct branch.
  • Give a meaningful name to your PR.
  • Your code is flake8 compliant.
  • Your code is python 3.13 compliant.
  • Add applicable tests to the unit tests.
  • Add the proper label to categorize your PR (bugfix).

@AbhimanyuGit2507 AbhimanyuGit2507 force-pushed the master branch 2 times, most recently from 0198418 to 6fb77ab Compare February 9, 2026 18:52
@Maffooch Maffooch closed this Feb 10, 2026
@Maffooch Maffooch reopened this Feb 10, 2026
@dryrunsecurity
Copy link

dryrunsecurity bot commented Feb 10, 2026
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies multiple sensitive codepaths (dojo/filters.py, dojo/finding/views.py, dojo/test/views.py), with the scanner flagging these edits as sensitive and recommending configuration of allowed authors and paths in .dryrunsecurity.yaml; the changes are marked as failing-level risk but not currently blocking.

🔴 Configured Codepaths Edit in dojo/filters.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/filters.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/test/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten
Copy link
Member

valentijnscholten commented Feb 10, 2026

I asked Sonnet 4.5, can you check if there's some valid point in there?

1. Missing defensive checks in set_related_object_fields()

In FindingFilterWithoutObjectLookups.__init__() (lines 57-80), field deletions use defensive checks:

if "test__engagement__product__name" in self.form.fields:
    del self.form.fields["test__engagement__product__name"]

However, in FindingFilter.set_related_object_fields() (lines 112-120), fields are deleted without checks:

del self.form.fields["test__engagement__product"]
del self.form.fields["test__engagement__product__prod_type"]
del self.form.fields["test__engagement"]
del self.form.fields["test"]

Recommendation: Add defensive if field in self.form.fields checks for consistency and to prevent potential KeyError exceptions.

2. Potential N+1 query in engagement context

Line 122 performs a database query each time the filter is instantiated:

engagement = Engagement.objects.get(id=self.eid)

Recommendation: Consider caching this or refactoring to avoid the extra query if multiple filters are created.

valentijnscholten
valentijnscholten reviewed Feb 10, 2026
View reviewed changes
Copy link
Member

@valentijnscholten valentijnscholten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see above

@AbhimanyuGit2507
Copy link
Author

AbhimanyuGit2507 commented Feb 10, 2026

I asked Sonnet 4.5, can you check if there's some valid point in there?

1. Missing defensive checks in set_related_object_fields()

In FindingFilterWithoutObjectLookups.__init__() (lines 57-80), field deletions use defensive checks:

if "test__engagement__product__name" in self.form.fields:
    del self.form.fields["test__engagement__product__name"]

However, in FindingFilter.set_related_object_fields() (lines 112-120), fields are deleted without checks:

del self.form.fields["test__engagement__product"]
del self.form.fields["test__engagement__product__prod_type"]
del self.form.fields["test__engagement"]
del self.form.fields["test"]

Recommendation: Add defensive if field in self.form.fields checks for consistency and to prevent potential KeyError exceptions.

2. Potential N+1 query in engagement context

Line 122 performs a database query each time the filter is instantiated:

engagement = Engagement.objects.get(id=self.eid)

Recommendation: Consider caching this or refactoring to avoid the extra query if multiple filters are created.

yes both points are valid, I will update the field deletions to protect against missing fields. I’ll also switch the engagement lookup to a safer pattern to avoid unnecessary queries.

@AbhimanyuGit2507
Fix DefectDojo#10268: Add context-aware filtering to Finding Group fi…
1efdfd9 
…lter

- Implemented hierarchical context filtering (test > engagement > product > global)
- Created get_finding_group_queryset_for_context() helper function to eliminate code duplication
- Modified FindingFilter and FindingFilterWithoutObjectLookups to accept eid/tid parameters
- Updated filter to show only Finding Groups from current test/engagement/product context
- Added query optimization with .only("id", "name") for Finding Groups
- Fixed user parameter passing to get_authorized_finding_groups_for_queryset()
- Updated finding/views.py and test/views.py to pass context parameters to filters
- Created comprehensive unit tests (8 test methods) covering all context levels

This ensures users only see relevant Finding Groups in the filter dropdown based on
their current page context, preventing confusion from seeing unrelated groups.
@AbhimanyuGit2507
Switch to DojoTestCase for better test compatibility
da8f604 
Use DojoTestCase instead of plain TestCase to align with DefectDojo
testing conventions and ensure proper test setup/teardown.
@AbhimanyuGit2507
Copy link
Author

AbhimanyuGit2507 commented Feb 11, 2026

Both changes are done as requested, let me know if any other changes are required.

valentijnscholten
valentijnscholten approved these changes Feb 11, 2026
View reviewed changes
Copy link
Member

@valentijnscholten valentijnscholten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did some manual testing also and looks good to me

@valentijnscholten valentijnscholten added this to the 2.56.0 milestone Feb 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentijnscholten valentijnscholten valentijnscholten approved these changes

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

unittests

Projects

None yet

Milestone

2.56.0

Development

Successfully merging this pull request may close these issues.

3 participants

@AbhimanyuGit2507 @valentijnscholten @Maffooch