Skip to content

🐛 Remove unselected parsers from filters and test types #13767

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: dev
Choose a base branch
from
Open

🐛 Remove unselected parsers from filters and test types #13767

wants to merge 7 commits into from
+51 −16

Conversation

@manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented Nov 24, 2025
edited
Loading

@valentijnscholten valentijnscholten added this to the 2.53.0 milestone Nov 26, 2025
@valentijnscholten
Copy link
Member

valentijnscholten commented Nov 26, 2025

Do you have screenshots of other places where the list is shown?

Import form:

image

API spec:

image

valentijnscholten
valentijnscholten reviewed Nov 26, 2025
View reviewed changes
Copy link
Member

@valentijnscholten valentijnscholten left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we have conflicting/overlapping settings here. If you go to https://demo.defectdojo.org/test_type you can already mark test types (scanners) as active or inactive. I haven't looked at the code yet, but do we need two different ways to activate/deactivate scanners? The solution via an env variable is less flexible as it requires sysadmin involvement and restarts to change. wdyt @Maffooch

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Nov 26, 2025

I wonder if we have conflicting/overlapping settings here. If you go to https://demo.defectdojo.org/test_type you can already mark test types (scanners) as active or inactive. I haven't looked at the code yet, but do we need two different ways to activate/deactivate scanners? The solution via an env variable is less flexible as it requires sysadmin involvement and restarts to change. wdyt @Maffooch

You are right @valentijnscholten, looks like a duplicate. Then, the better option would be to remove the env way.

@valentijnscholten
Copy link
Member

valentijnscholten commented Nov 26, 2025

Maybe the intention was to have some sort of "company wide exclusion" via the env variable and then allow security teams to enable/disable on top of that? I don't know.

@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Nov 26, 2025

Maybe the intention was to have some sort of "company wide exclusion" via the env variable and then allow security teams to enable/disable on top of that? I don't know.

If we keep both, we should add documentation.

@Maffooch
Copy link
Contributor

Maffooch commented Nov 26, 2025

I think the active flag on individual test types is sufficient. There are also some helpers to exclude inactive scanners for import/reimport forms:

django-DefectDojo/dojo/tools/factory.py

Lines 50 to 68 in a85bbba

def get_inactive_test_types():
try:
return list(Test_Type.objects.filter(active=False).values_list("name", flat=True))
except Exception:
# This exception is reached in the event of loading fixtures in to an empty database
# prior to migrations runnings
return []
def get_scan_types_sorted():
inactive_test_types = get_inactive_test_types()
res = [(key, PARSERS[key].get_description_for_scan_types(key)) for key in PARSERS if key not in inactive_test_types]
return sorted(res, key=lambda x: x[0].lower())
def get_choices_sorted():
inactive_test_types = get_inactive_test_types()
res = [(key, PARSERS[key].get_label_for_scan_types(key)) for key in PARSERS if key not in inactive_test_types]
return sorted(res, key=lambda x: x[1].lower())

@valentijnscholten valentijnscholten marked this pull request as draft November 27, 2025 17:29
@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Nov 28, 2025

FYI: I will remove the functionality (PARSER_EXCLUDE in settings) within a PR against dev as this is a breaking change.
In this PR I will move forward to fix the inactive part to remove them from the filters etc.

@valentijnscholten
Copy link
Member

valentijnscholten commented Nov 28, 2025

Might be better to do all of it in one PR in dev. If we split it up people might get confused if the parser exclude setting is still there. Wdyt?

@Maffooch
Copy link
Contributor

Maffooch commented Nov 28, 2025

Might be better to do all of it in one PR in dev. If we split it up people might get confused if the parser exclude setting is still there. Wdyt?

I agree with this thinking

@manuel-sommer manuel-sommer reopened this Dec 1, 2025
@manuel-sommer manuel-sommer force-pushed the rm_testtypesfrompages branch 3 times, most recently from 7a4aa23 to 1e5283c Compare December 1, 2025 07:15
@github-actions
Copy link
Contributor

github-actions bot commented Dec 1, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions github-actions bot added New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs ui parser helm labels Dec 1, 2025
@github-actions github-actions bot removed New Migration Adding a new migration file. Take care when merging. settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs ui parser helm labels Dec 1, 2025
@github-actions github-actions bot removed the unittests label Dec 1, 2025
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR parser labels Dec 1, 2025
@github-actions github-actions bot added the docs label Dec 1, 2025
@manuel-sommer manuel-sommer marked this pull request as ready for review December 1, 2025 07:49
@manuel-sommer
Copy link
Contributor Author

manuel-sommer commented Dec 1, 2025
edited
Loading

Please review @valentijnscholten
I rebased the PR onto dev, removed DD_PARSER_EXCLUDE, adjusted the filter to exclude the inactive test types and exclude them also within the import.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Dec 1, 2025
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request makes sensitive edits to multiple files (dojo/filters.py, dojo/finding/views.py, and dojo/utils.py) and includes an information disclosure issue where get_visible_scan_types() in dojo/finding/views.py returns all active Test_Type objects without authorization checks, potentially exposing internal scan/type information to unauthorized users.

🔴 Configured Codepaths Edit in dojo/filters.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/finding/views.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
🔴 Configured Codepaths Edit in dojo/utils.py
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.
Information Disclosure in dojo/finding/views.py
Vulnerability Information Disclosure
Description The get_visible_scan_types() function, called within the get_initial_context method of a view, retrieves all active Test_Type objects without any authorization checks. This means that any authenticated user accessing this view could potentially see a list of all active scan types configured in the system. If these Test_Type objects contain sensitive information, such as names of internal-only tools, custom scanners, or proprietary processes, this constitutes an information disclosure. This provides reconnaissance information to a low-privileged user, which could aid in further attacks.

django-DefectDojo/dojo/finding/views.py

Lines 303 to 309 in c9f34c2

"enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
"title_words": get_words_for_field(Finding, "title"),
"component_words": get_words_for_field(Finding, "component_name"),
"visible_test_types": get_visible_scan_types(),
}
# Look to see if the product was used
if product_id := self.get_product_id():

We've notified @mtesauro.

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten modified the milestones: 2.53.0, 2.54.0 Dec 1, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 1, 2025

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 1, 2025

Conflicts have been resolved. A maintainer will review the pull request shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Awaiting requested review from Maffooch Maffooch is a code owner

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

docs parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR unittests

Projects

None yet

Milestone

2.54.0

Development

Successfully merging this pull request may close these issues.

3 participants

@manuel-sommer @valentijnscholten @Maffooch