Merge branch 'dev' into feature/even_quicker_verify

Author: fopina

components/package.json

@@ -33,7 +33,7 @@
     "metismenu": "~3.0.7",
     "moment": "^2.30.1",
     "morris.js": "morrisjs/morris.js",
-    "pdfmake": "^0.3.3",
+    "pdfmake": "^0.3.4",
     "startbootstrap-sb-admin-2": "1.0.7"
   },
   "engines": {

components/yarn.lock

@@ -385,10 +385,10 @@ pdfkit@^0.17.2:
     linebreak "^1.1.0"
     png-js "^1.0.0"
 
-pdfmake@^0.3.3:
-  version "0.3.3"
-  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.3.3.tgz#2705e8fabff4bf52a4a7b7ae9d93caee1b200cb7"
-  integrity sha512-jSnF8rVLkbLLX37bnXWRFhEDO48quE7OIg7lgWBa6ihAbpCxASaBLWFOXNxSDeLBNt92304SBwpYcPkJnIArlA==
+pdfmake@^0.3.4:
+  version "0.3.4"
+  resolved "https://registry.yarnpkg.com/pdfmake/-/pdfmake-0.3.4.tgz#3448ca1434396275dce8f49202e761fefad781eb"
+  integrity sha512-zbGBox6pgNeGdG7tlLVBbQJlYIlTHtXo5q8+dNhCb2O0Q2+Nc5bcpsgNzbzqfzlcJ0gX9f+ZBv1z4FuJjUHwVA==
   dependencies:
     linebreak "^1.1.0"
     pdfkit "^0.17.2"

docs/content/supported_tools/parsers/file/generic.md

@@ -31,6 +31,7 @@ Generic Findings Import can be used to import any report in CSV or JSON format.
 - known_exploited: Indicator if the finding is listed in Known Exploited List. Must be TRUE, or FALSE
 - ransomware_used: Indicator if the finding is used in Ransomware. Must be TRUE, or FALSE
 - fix_available: Indicator if fix available for the finding. Must be TRUE, or FALSE
+- fix_version: Version where fix is available. String value.
 - kev_date: Date the finding was added to Known Exploited Vulnerabilities list in mm/dd/yyyy format or ISO format.
 
 The CSV expects a header row with the names of the attributes.
@@ -94,6 +95,7 @@ The list of supported fields in JSON format:
 - known_exploited: Bool
 - ransomware_used: Bool
 - fix_available: Bool
+- fix_version: String
 
 ### Example JSON
 
@@ -114,6 +116,7 @@ The list of supported fields in JSON format:
             "known_exploited": true,
             "ransomware_used": true,
             "fix_available": true,
+            "fix_version": "0.0.00",
             "kev_date": "2024-05-01",
             "file_path": "src/first.cpp",
             "line": 13,

dojo/filters.py

@@ -2020,6 +2020,33 @@ def filter_mitigated_on(self, queryset, name, value):
         return queryset.filter(mitigated=value)
 
 
+def get_finding_group_queryset_for_context(pid=None, eid=None, tid=None):
+    """
+    Helper function to build finding group queryset based on context hierarchy.
+    Context priority: test > engagement > product > global
+
+    Args:
+        pid: Product ID (least specific)
+        eid: Engagement ID
+        tid: Test ID (most specific)
+
+    Returns:
+        QuerySet of Finding_Group filtered by context
+
+    """
+    if tid is not None:
+        # Most specific: filter by test
+        return Finding_Group.objects.filter(test_id=tid).only("id", "name")
+    if eid is not None:
+        # Filter by engagement's tests
+        return Finding_Group.objects.filter(test__engagement_id=eid).only("id", "name")
+    if pid is not None:
+        # Filter by product's tests
+        return Finding_Group.objects.filter(test__engagement__product_id=pid).only("id", "name")
+    # Global: return all (authorization will be applied separately)
+    return Finding_Group.objects.all().only("id", "name")
+
+
 class FindingFilterWithoutObjectLookups(FindingFilterHelper, FindingTagStringFilter):
     test__engagement__product__prod_type = NumberFilter(widget=HiddenInput())
     test__engagement__product = NumberFilter(widget=HiddenInput())
@@ -2111,20 +2138,45 @@ class Meta:
     def __init__(self, *args, **kwargs):
         self.user = None
         self.pid = None
+        self.eid = None
+        self.tid = None
         if "user" in kwargs:
             self.user = kwargs.pop("user")
 
         if "pid" in kwargs:
             self.pid = kwargs.pop("pid")
+        if "eid" in kwargs:
+            self.eid = kwargs.pop("eid")
+        if "tid" in kwargs:
+            self.tid = kwargs.pop("tid")
         super().__init__(*args, **kwargs)
         # Set some date fields
         self.set_date_fields(*args, **kwargs)
-        # Don't show the product filter on the product finding view
-        if self.pid:
-            del self.form.fields["test__engagement__product__name"]
-            del self.form.fields["test__engagement__product__name_contains"]
-            del self.form.fields["test__engagement__product__prod_type__name"]
-            del self.form.fields["test__engagement__product__prod_type__name_contains"]
+        # Don't show the product/engagement/test filter fields when in specific context
+        if self.tid or self.eid or self.pid:
+            if "test__engagement__product__name" in self.form.fields:
+                del self.form.fields["test__engagement__product__name"]
+            if "test__engagement__product__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__product__name_contains"]
+            if "test__engagement__product__prod_type__name" in self.form.fields:
+                del self.form.fields["test__engagement__product__prod_type__name"]
+            if "test__engagement__product__prod_type__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__product__prod_type__name_contains"]
+        # Also hide engagement and test fields if in test or engagement  context
+        if self.tid:
+            if "test__engagement__name" in self.form.fields:
+                del self.form.fields["test__engagement__name"]
+            if "test__engagement__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__name_contains"]
+            if "test__name" in self.form.fields:
+                del self.form.fields["test__name"]
+            if "test__name_contains" in self.form.fields:
+                del self.form.fields["test__name_contains"]
+        elif self.eid:
+            if "test__engagement__name" in self.form.fields:
+                del self.form.fields["test__engagement__name"]
+            if "test__engagement__name_contains" in self.form.fields:
+                del self.form.fields["test__engagement__name_contains"]
 
 
 class FindingFilter(FindingFilterHelper, FindingTagFilter):
@@ -2163,38 +2215,79 @@ class Meta:
     def __init__(self, *args, **kwargs):
         self.user = None
         self.pid = None
+        self.eid = None
+        self.tid = None
         if "user" in kwargs:
             self.user = kwargs.pop("user")
 
         if "pid" in kwargs:
             self.pid = kwargs.pop("pid")
+        if "eid" in kwargs:
+            self.eid = kwargs.pop("eid")
+        if "tid" in kwargs:
+            self.tid = kwargs.pop("tid")
         super().__init__(*args, **kwargs)
         # Set some date fields
         self.set_date_fields(*args, **kwargs)
         # Don't show the product filter on the product finding view
         self.set_related_object_fields(*args, **kwargs)
 
     def set_related_object_fields(self, *args: list, **kwargs: dict):
-        finding_group_query = Finding_Group.objects.all()
-        if self.pid is not None:
-            del self.form.fields["test__engagement__product"]
-            del self.form.fields["test__engagement__product__prod_type"]
+        # Use helper to get contextual finding group queryset
+        finding_group_query = get_finding_group_queryset_for_context(
+            pid=self.pid,
+            eid=self.eid,
+            tid=self.tid,
+        )
+
+        # Filter by most specific context: test > engagement > product
+        if self.tid is not None:
+            # Test context: filter finding groups by test
+            if "test__engagement__product" in self.form.fields:
+                del self.form.fields["test__engagement__product"]
+            if "test__engagement__product__prod_type" in self.form.fields:
+                del self.form.fields["test__engagement__product__prod_type"]
+            if "test__engagement" in self.form.fields:
+                del self.form.fields["test__engagement"]
+            if "test" in self.form.fields:
+                del self.form.fields["test"]
+        elif self.eid is not None:
+            # Engagement context: filter finding groups by engagement
+            if "test__engagement__product" in self.form.fields:
+                del self.form.fields["test__engagement__product"]
+            if "test__engagement__product__prod_type" in self.form.fields:
+                del self.form.fields["test__engagement__product__prod_type"]
+            if "test__engagement" in self.form.fields:
+                del self.form.fields["test__engagement"]
+            # Filter tests by engagement - get_authorized_tests doesn't support engagement param
+            engagement = Engagement.objects.filter(id=self.eid).select_related("product").first()
+            if engagement:
+                self.form.fields["test"].queryset = get_authorized_tests(Permissions.Test_View, product=engagement.product).filter(engagement_id=self.eid).prefetch_related("test_type")
+        elif self.pid is not None:
+            # Product context: filter finding groups by product
+            if "test__engagement__product" in self.form.fields:
+                del self.form.fields["test__engagement__product"]
+            if "test__engagement__product__prod_type" in self.form.fields:
+                del self.form.fields["test__engagement__product__prod_type"]
             # TODO: add authorized check to be sure
-            self.form.fields["test__engagement"].queryset = Engagement.objects.filter(
-                product_id=self.pid,
-            ).all()
-            self.form.fields["test"].queryset = get_authorized_tests(Permissions.Test_View, product=self.pid).prefetch_related("test_type")
-            finding_group_query = Finding_Group.objects.filter(test__engagement__product_id=self.pid)
+            if "test__engagement" in self.form.fields:
+                self.form.fields["test__engagement"].queryset = Engagement.objects.filter(
+                    product_id=self.pid,
+                ).all()
+            if "test" in self.form.fields:
+                self.form.fields["test"].queryset = get_authorized_tests(Permissions.Test_View, product=self.pid).prefetch_related("test_type")
         else:
+            # Global context: show all authorized finding groups
             self.form.fields[
                 "test__engagement__product__prod_type"].queryset = get_authorized_product_types(Permissions.Product_Type_View)
             self.form.fields["test__engagement"].queryset = get_authorized_engagements(Permissions.Engagement_View)
-            del self.form.fields["test"]
+            if "test" in self.form.fields:
+                del self.form.fields["test"]
 
         if self.form.fields.get("test__engagement__product"):
             self.form.fields["test__engagement__product"].queryset = get_authorized_products(Permissions.Product_View)
         if self.form.fields.get("finding_group", None):
-            self.form.fields["finding_group"].queryset = get_authorized_finding_groups_for_queryset(Permissions.Finding_Group_View, finding_group_query)
+            self.form.fields["finding_group"].queryset = get_authorized_finding_groups_for_queryset(Permissions.Finding_Group_View, finding_group_query, user=self.user)
         self.form.fields["reporter"].queryset = get_authorized_users(Permissions.Finding_View)
         self.form.fields["reviewers"].queryset = self.form.fields["reporter"].queryset
 

dojo/finding/views.py

@@ -267,6 +267,8 @@ def filter_findings_by_form(self, request: HttpRequest, findings: QuerySet[Findi
         kwargs = {
             "user": request.user,
             "pid": self.get_product_id(),
+            "eid": self.get_engagement_id(),
+            "tid": self.get_test_id(),
         }
 
         filter_string_matching = get_system_setting("filter_string_matching", False)
@@ -360,10 +362,11 @@ def add_breadcrumbs(self, request: HttpRequest, context: dict):
 
         return request, context
 
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
-        # Store the product and engagement ids
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
+        # Store the product, engagement, and test ids
         self.product_id = product_id
         self.engagement_id = engagement_id
+        self.test_id = test_id
         # Get the initial context
         request, context = self.get_initial_context(request)
         # Get the filtered findings
@@ -386,46 +389,46 @@ def get(self, request: HttpRequest, product_id: int | None = None, engagement_id
 
 
 class ListOpenFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Open"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListVerifiedFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Verified"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListOutOfScopeFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Out of Scope"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListFalsePositiveFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "False Positive"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListInactiveFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Inactive"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListAcceptedFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Accepted"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ListClosedFindings(ListFindings):
-    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None):
+    def get(self, request: HttpRequest, product_id: int | None = None, engagement_id: int | None = None, test_id: int | None = None):
         self.filter_name = "Closed"
         self.order_by = "-mitigated"
-        return super().get(request, product_id=product_id, engagement_id=engagement_id)
+        return super().get(request, product_id=product_id, engagement_id=engagement_id, test_id=test_id)
 
 
 class ViewFinding(View):

dojo/templates/dojo/view_finding.html

@@ -1317,6 +1317,23 @@ <h4>Credential
                         $("img#to_replace").attr('src', $(thumbnails[index + 1]).data('imageurl'));
                         $("#caption_to_replace").html($(thumbnails[index + 1]).data('caption'));
                     }
+                    $('div#bulk_edit_menu').addClass('hidden');
+                }
+            });
+
+             $('input#select_all_mitigated').on('click', function (e) {
+                var checkbox_values = $("input[type=checkbox][name^='select_mitigated']");
+                if ($(this).is(":checked")) {
+                    for (var i = 0; i < checkbox_values.length; i++) {
+                        $(checkbox_values[i]).prop('checked', true)
+                    }
+                    $('div#bulk_edit_menu').removeClass('hidden');
+                }
+                else {
+                    for (var i = 0; i < checkbox_values.length; i++) {
+                        $(checkbox_values[i]).prop('checked', false)
+                    }
+                    $('div#bulk_edit_menu').addClass('hidden');
                 }
             });
         });

dojo/test/views.py

@@ -122,7 +122,7 @@ def get_findings(self, request: HttpRequest, test: Test):
         findings = Finding.objects.filter(test=test).order_by("numerical_severity")
         filter_string_matching = get_system_setting("filter_string_matching", False)
         finding_filter_class = FindingFilterWithoutObjectLookups if filter_string_matching else FindingFilter
-        findings = finding_filter_class(request.GET, pid=test.engagement.product.id, queryset=findings)
+        findings = finding_filter_class(request.GET, pid=test.engagement.product.id, eid=test.engagement.id, tid=test.id, queryset=findings)
         paged_findings = get_page_items_and_count(request, prefetch_for_findings(findings.qs), 25, prefix="findings")
         fix_available_count = findings.qs.filter(fix_available=True).count()
 

dojo/tools/generic/csv_parser.py

@@ -103,6 +103,9 @@ def _get_findings_csv(self, filename):
             if "fix_available" in row:
                 finding.fix_available = bool(row["fix_available"])
 
+            if "fix_version" in row:
+                finding.fix_version = row["fix_version"]
+
             # manage endpoints
             if row.get("Url"):
                 if settings.V3_FEATURE_LOCATIONS:

dojo/tools/generic/json_parser.py

@@ -110,6 +110,7 @@ def _get_test_json(self, data):
                 "known_exploited",
                 "ransomware_used",
                 "fix_available",
+                "fix_version",
             }.union(required)
             not_allowed = sorted(set(item).difference(allowed))
             if not_allowed:

unittests/scans/generic/generic_report_fix_version.csv

@@ -0,0 +1,3 @@
+Date,Title,CweId,Url,Severity,Description,Mitigation,Impact,References,Active,Verified,fix_available,fix_version
+01/15/2025,Test finding with fix_version,502,,High,Vulnerability with fix version available,Upgrade to 2.1.3,,,TRUE,FALSE,TRUE,2.1.3
+01/15/2025,Test finding without fix_version,611,,Medium,Vulnerability without fix version,,,,TRUE,FALSE,FALSE,