Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix engagements filters in 'engagements by product view' #10046

Merged
merged 6 commits into from
Apr 30, 2024
Merged

Fix engagements filters in 'engagements by product view' #10046

merged 6 commits into from
Apr 30, 2024

Conversation

davidhernandeze
Copy link
Contributor

It's the same as #9913 but with the correct branching.

sc-[5299]

Description

The engagement filters inside the "Engagements By Product" view are not working properly. Searching by the exact name in the "Engagement name" filter returns incorrect results.

The Problem

Building relationship filters as we currently do in EngagementFilter generates a query that gets filtered products with all the related engagements, where at least one engagement satisfies the filter criteria. The engagements_all view iterates over the engagements of each product to render the table rows. As a result, we showed all product engagements that satisfied the filter criteria. For example, if two engagements fulfill the filter criteria from two different products, the rendered table will show all engagements that belong to those two products.

Solution

When prefetching the engament_set, an additional filter will filter the engagements at the query level, so only filtered engagements related to filtered products will be obtained.

engagement_query = Engagement.objects.annotate(test_count=Count('test__id'))
filter_qs = products_with_engagements.prefetch_related(
   Prefetch('engagement_set', queryset=ProductEngagementsFilter(request.GET, engagement_query).qs)
)

Also, the paginator object had to be modified to represent the correct number of rows currently shown on the page.

prods.paginator.count = sum(len(prod.engagement_set.all()) for prod in prods)

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Apr 26, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 10 findings
Sensitive Files Analyzer 0 findings
AppSec Analyzer 0 findings
Authn/Authz Analyzer 2 findings
Secrets Analyzer 0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Powered by DryRun Security

@davidhernandeze
Copy link
Contributor Author

[sc-5299]

mtesauro
mtesauro approved these changes Apr 27, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@davidhernandeze
Merge remote-tracking branch 'origin/dev' into fix/engagemen-filter
7be5a7d 
# Conflicts:
#	dojo/engagement/views.py
#	dojo/filters.py
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Maffooch
Maffooch requested changes Apr 30, 2024
View reviewed changes
Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add support for filters without object lookups as well. Here is an example of doing so https://github.com/DefectDojo/django-DefectDojo/blob/f66e6dbb07bcddfb607ab81e76cca073080a6c2b/dojo/filters.py#L1065C1-L1093C75

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch Maffooch merged commit 0a993da into DefectDojo:dev Apr 30, 2024
122 of 123 checks passed
dogboat pushed a commit to dogboat/django-DefectDojo that referenced this pull request May 6, 2024
@davidhernandeze
Fix engagements filters in 'engagements by product view' (DefectDojo#…
0fa2d45 
…10046)

* fix engagements filters in 'engagements by product view'

* fix linter

* add filtering without object lookups

* fix imports order
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@hblankenship hblankenship hblankenship approved these changes

@mtesauro mtesauro mtesauro approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@davidhernandeze @grendel513 @mtesauro @hblankenship @Maffooch