squashed commits

manuel-sommer · manuel-sommer · commit 19a73f2f90e4 · 2025-12-01T08:19:23.000+01:00
diff --git a/dojo/filters.py b/dojo/filters.py
@@ -93,7 +93,7 @@
 from dojo.risk_acceptance.queries import get_authorized_risk_acceptances
 from dojo.test.queries import get_authorized_tests
 from dojo.user.queries import get_authorized_users
-from dojo.utils import get_system_setting, is_finding_groups_enabled, truncate_timezone_aware
+from dojo.utils import get_system_setting, get_visible_scan_types, is_finding_groups_enabled, truncate_timezone_aware
 
 logger = logging.getLogger(__name__)
 
@@ -2030,6 +2030,9 @@ def __init__(self, *args, **kwargs):
         # Don't show the product filter on the product finding view
         self.set_related_object_fields(*args, **kwargs)
 
+        if "test__test_type" in self.form.fields:
+            self.form.fields["test__test_type"].queryset = get_visible_scan_types()
+
     def set_related_object_fields(self, *args: list, **kwargs: dict):
         finding_group_query = Finding_Group.objects.all()
         if self.pid is not None:
diff --git a/dojo/finding/views.py b/dojo/finding/views.py
@@ -118,6 +118,7 @@
     get_page_items_and_count,
     get_return_url,
     get_system_setting,
+    get_visible_scan_types,
     get_words_for_field,
     match_finding_to_existing_findings,
     process_tag_notifications,
@@ -302,6 +303,7 @@ def get_initial_context(self, request: HttpRequest):
             "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
             "title_words": get_words_for_field(Finding, "title"),
             "component_words": get_words_for_field(Finding, "component_name"),
+            "visible_test_types": get_visible_scan_types(),
         }
         # Look to see if the product was used
         if product_id := self.get_product_id():
diff --git a/dojo/test_type/views.py b/dojo/test_type/views.py
@@ -11,7 +11,7 @@
 from dojo.filters import TestTypeFilter
 from dojo.forms import Test_TypeForm
 from dojo.models import Test_Type
-from dojo.utils import add_breadcrumb, get_page_items
+from dojo.utils import add_breadcrumb, get_page_items, get_visible_scan_types
 
 logger = logging.getLogger(__name__)
 
@@ -24,7 +24,7 @@
 
 @login_required
 def test_type(request):
-    initial_queryset = Test_Type.objects.all().order_by("name")
+    initial_queryset = get_visible_scan_types().order_by("name")
     name_words = initial_queryset.values_list("name", flat=True)
     test_types = TestTypeFilter(request.GET, queryset=initial_queryset)
     tts = get_page_items(request, test_types.qs, 25)
@@ -35,7 +35,8 @@ def test_type(request):
         "user": request.user,
         "tts": tts,
         "test_types": test_types,
-        "name_words": name_words})
+        "name_words": name_words,
+    })
 
 
 @user_is_configuration_authorized("dojo.add_test_type")
diff --git a/dojo/utils.py b/dojo/utils.py
@@ -68,6 +68,7 @@
     Product,
     System_Settings,
     Test,
+    Test_Type,
     User,
 )
 from dojo.notifications.helper import create_notification
@@ -83,6 +84,25 @@
 """
 
 
+def get_visible_scan_types():
+    """
+    Returns a QuerySet of active, non-excluded Test_Type objects.
+    Supports comma or pipe-separated names in PARSER_EXCLUDE.
+    """
+    exclude_raw = (getattr(settings, "PARSER_EXCLUDE", "") or "").strip()
+    if exclude_raw:
+        # Support both ',' and '|' separators
+        parts = [p.strip() for sep in (",", "|") for p in exclude_raw.split(sep)]
+        excluded_names = {p for p in parts if p}
+    else:
+        excluded_names = set()
+
+    qs = Test_Type.objects.filter(active=True)
+    if excluded_names:
+        qs = qs.exclude(name__in=excluded_names)
+    return qs
+
+
 def do_false_positive_history(finding, *args, **kwargs):
     """
     Replicate false positives across product.
diff --git a/unittests/test_testtype_filter.py b/unittests/test_testtype_filter.py
@@ -0,0 +1,43 @@
+
+from django.test import TestCase, override_settings
+
+from dojo.filters import FindingFilter
+from dojo.models import Test_Type
+from dojo.utils import get_visible_scan_types
+
+
+class TestFindingFilterExcludesTestTypes(TestCase):
+    def setUp(self):
+        self.active_type = Test_Type.objects.create(name="Nessus Scan", active=True)
+        self.excluded_type = Test_Type.objects.create(name="Inactive Scan", active=True)
+        self.inactive_type = Test_Type.objects.create(name="Burp Scan", active=False)
+
+    @override_settings(PARSER_EXCLUDE="Inactive Scan")
+    def test_excludes_inactive_and_single_excluded(self):
+        filter_instance = FindingFilter(data={})
+        self.assertIn("test__test_type", filter_instance.form.fields)
+        queryset = filter_instance.form.fields["test__test_type"].queryset
+        actual_names = set(queryset.values_list("name", flat=True))
+        self.assertIn(self.active_type.name, actual_names)
+        self.assertNotIn(self.excluded_type.name, actual_names)
+        self.assertNotIn(self.inactive_type.name, actual_names)
+
+    @override_settings(PARSER_EXCLUDE="Inactive Scan|Acunetix Scan")
+    def test_multiple_exclusions(self):
+        filter_instance = FindingFilter(data={})
+        queryset = filter_instance.form.fields["test__test_type"].queryset
+        actual_names = set(queryset.values_list("name", flat=True))
+        self.assertNotIn(self.excluded_type.name, actual_names)
+
+    @override_settings(PARSER_EXCLUDE="")
+    def test_no_exclusions_only_active(self):
+        filter_instance = FindingFilter(data={})
+        queryset = filter_instance.form.fields["test__test_type"].queryset
+        self.assertIn(self.active_type, queryset)
+        self.assertNotIn(self.inactive_type, queryset)
+
+    def test_helper_function(self):
+        visible = get_visible_scan_types()
+        names = set(visible.values_list("name", flat=True))
+        self.assertIn(self.active_type.name, names)
+        self.assertNotIn(self.inactive_type.name, names)
