findings list: support ordering by more fields (#13300)

valentijnscholten · web-flow · commit 77d6bdd0928e · 2025-10-03T21:53:18.000-05:00
* findings list: support ordering by more fields

* remove duplicate sorting, fix sla sorting

* fix bulk edit tag field
diff --git a/dojo/filters.py b/dojo/filters.py
@@ -1624,7 +1624,9 @@ class ApiFindingFilter(DojoFilter):
             ("is_mitigated", "is_mitigated"),
             ("numerical_severity", "numerical_severity"),
             ("out_of_scope", "out_of_scope"),
+            ("planned_remediation_date", "planned_remediation_date"),
             ("severity", "severity"),
+            ("sla_expiration_date", "sla_expiration_date"),
             ("reviewers", "reviewers"),
             ("static_finding", "static_finding"),
             ("test__engagement__product__name", "test__engagement__product__name"),
@@ -1782,10 +1784,12 @@ class FindingFilterHelper(FilterSet):
             ("risk_acceptance__created__date",
              "risk_acceptance__created__date"),
             ("last_reviewed", "last_reviewed"),
+            ("planned_remediation_date", "planned_remediation_date"),
             ("title", "title"),
             ("test__engagement__product__name",
              "test__engagement__product__name"),
             ("service", "service"),
+            ("sla_age_days", "sla_age_days"),
             ("epss_score", "epss_score"),
             ("epss_percentile", "epss_percentile"),
             ("known_exploited", "known_exploited"),
@@ -1805,6 +1809,8 @@ class FindingFilterHelper(FilterSet):
             "known_exploited": "Known Exploited",
             "ransomware_used": "Ransomware Used",
             "kev_date": "Date added to KEV",
+            "sla_age_days": "SLA age (days)",
+            "planned_remediation_date": "Planned Remediation",
         },
     )
 
diff --git a/dojo/finding/views.py b/dojo/finding/views.py
@@ -14,8 +14,8 @@
 from django.core import serializers
 from django.core.exceptions import PermissionDenied, ValidationError
 from django.db import models
-from django.db.models import QuerySet
-from django.db.models.functions import Length
+from django.db.models import F, QuerySet
+from django.db.models.functions import Coalesce, ExtractDay, Length, TruncDate
 from django.db.models.query import Prefetch
 from django.http import Http404, HttpRequest, HttpResponse, HttpResponseRedirect, JsonResponse, StreamingHttpResponse
 from django.shortcuts import get_object_or_404, render
@@ -274,7 +274,13 @@ def filter_findings_by_form(self, request: HttpRequest, findings: QuerySet[Findi
         )
 
     def get_filtered_findings(self):
-        findings = get_authorized_findings(Permissions.Finding_View).order_by(self.get_order_by())
+        findings = get_authorized_findings(Permissions.Finding_View)
+        # Annotate computed SLA age in days: sla_expiration_date - (sla_start_date or date)
+        findings = findings.annotate(
+            sla_age_days=ExtractDay(
+                F("sla_expiration_date") - Coalesce(F("sla_start_date"), TruncDate("created")),
+            ),
+        ).order_by(self.get_order_by())
         findings = self.filter_findings_by_object(findings)
         return self.filter_findings_by_filter_name(findings)
 
diff --git a/dojo/templates/dojo/findings_list_snippet.html b/dojo/templates/dojo/findings_list_snippet.html
@@ -57,6 +57,8 @@ <h3 class="has-filters">
                 <div class="clearfix">{% include "dojo/paging_snippet.html" with page=findings page_size=True %}</div>
                 {% if not product_tab or product_tab and product_tab.product|has_object_permission:"Finding_Edit" %}
                     <div class="dropdown hidden" style="padding-bottom: 5px;" id="bulk_edit_menu">
+                        {{ bulk_edit_form.media.css }}
+                        {{ bulk_edit_form.media.js }}
                         {% if not product_tab or product_tab and product_tab.product|has_object_permission:"Finding_Edit" %}
                             <button class="btn btn-info btn-sm btn-primary dropdown-toggle"
                                     type="button"
@@ -242,18 +244,8 @@ <h3 class="has-filters">
                                             <br />
                                         {% endif %}
                                         <label style="display: block">{% trans "Notes" %}</label>
-                                        {% comment %}
-                                            Quick hack to make bulk edit work without refactoring the whole bulk edit form
-                                            {{ bulk_edit_form.media.css }}
-                                            {{ bulk_edit_form.media.js }}
-                                        {% endcomment %}
                                         {{ bulk_edit_form.notes }}
                                         <label style="display: block">{% trans "Tags" %}</label>
-                                        {% comment %}
-                                            Quick hack to make bulk edit work without refactoring the whole bulk edit form
-                                            {{ bulk_edit_form.media.css }}
-                                            {{ bulk_edit_form.media.js }}
-                                        {% endcomment %}
                                         {{ bulk_edit_form.tags }}
                                         {% if bulk_edit_form.disclaimer %}
                                             <div style="background-color:#DADCE2; border:1px #003333; padding:.3em; margin:.1em; ">
@@ -318,14 +310,14 @@ <h3 class="has-filters">
                                     {% endif %}
                                     <th></th>
                                     <th class="nowrap centered severity-sort" scope="col">
-                                        {% trans "Severity" %}
+                                        {% dojo_sort request 'Severity' 'numerical_severity' %}
                                     </th>
                                     <th class="nowrap" scope="col">
                                         {% comment %} The display field is translated in the function. No need to translate here as well{% endcomment %}
                                         {% dojo_sort request 'Name' 'title' %}
                                     </th>
                                     <th scope="col">
-                                        {% trans "CWE" %}
+                                        {% dojo_sort request 'CWE' 'cwe' %}
                                     </th>
                                     <th scope="col">
                                         {% trans "Vulnerability Id" %}
@@ -355,11 +347,11 @@ <h3 class="has-filters">
                                         {% endif %}
                                     </th>
                                     <th class="nowrap" scope="col">
-                                        {% trans "Age" %}
+                                        {% dojo_sort request 'Age' 'date' %}
                                     </th>
                                     {% if system_settings.enable_finding_sla %}
                                         <th scope="col">
-                                            {% trans "SLA" %}
+                                            {% dojo_sort request 'SLA' 'sla_age_days' %}
                                         </th>
                                     {% endif %}
                                     <th scope="col">
@@ -396,10 +388,10 @@ <h3 class="has-filters">
                                         </th>
                                     {% endif %}
                                     <th scope="col">
-                                        {% trans "Service" %}
+                                        {% dojo_sort request 'Service' 'service' %}
                                     </th>
-                                    <th scope="col"> 
-                                        {% trans "Planned Remediation" %}
+                                    <th scope="col">
+                                        {% dojo_sort request 'Planned Remediation' 'planned_remediation_date' %}
                                     </th>
                                     {% if filter_name != 'Closed' %}
                                         <th scope="col">
@@ -800,7 +792,7 @@ <h3 class="has-filters">
                         return data;
                     }},
                     { "data": "finding_age" },
-                {% if system_settings.enable_finding_sla %}                
+                {% if system_settings.enable_finding_sla %}
                     { "data": "finding_sla", "type": "num", render: function (data, type, row, meta) {
                         if(type === 'sort') {
                             var api = new $.fn.dataTable.Api(meta.settings);
@@ -867,6 +859,25 @@ <h3 class="has-filters">
             var fileDated = 'Findings_List_' + date;
             var columns = datatables_columns;
 
+            // Determine columns that should be server-sorted via dojo_sort (disable client sorting for these)
+            var serverSortDataKeys = new Set([
+                'severity',
+                'finding',
+                'cwe',
+                'found_date',
+                'finding_age',
+                'finding_sla',
+                'product',
+                'service',
+                'planned_remediation_date'
+            ]);
+            var serverSortTargets = [];
+            for (var i = 0; i < columns.length; i++) {
+                if (serverSortDataKeys.has(columns[i]["data"])) {
+                    serverSortTargets.push(i);
+                }
+            }
+
             // Filter the list of items to display based on what is shown.
             var disallowed_entries = new Set(["checkbox", "action"]);
             var data_column_list = [];
@@ -899,8 +910,13 @@ <h3 class="has-filters">
                     },
                     colReorder: true,
                     "columns": columns,
+                    ordering: true,
                     order: [],
                     columnDefs: [
+                        {
+                            orderable: false,
+                            targets: serverSortTargets
+                        },
                         {
                             "orderable": false,
                             "targets": [0, 1]
