Finding Group Filter Fix on finding page

[raouf-haddada]

Solve Finding page slowness when dealing with large amount fo findings

Summary
Resolve the UI slowness in DefectDojo caused by the "Finding Group" filter being prefilled with a large amount of findings.

Description
Users have experienced significant performance issues in the DefectDojo UI because the "Finding Group" filter is prefilled with a large number of findings. This slowness impacts the usability of the application, causing delays and reducing user productivity.

Impacted Page: /finding

Screenshots

Query details:
generated 43677399 bytes in 46454 msecs
[pid: 1|app: -|req: -/-] 100.64.2.17 (-) {34 vars in 416 bytes} [Tue Jun 4 13:28:44 2024] GET /uwsgi_health => generated 15728 bytes in 227 msecs (HTTP/1.1 200) 10 headers in 481 bytes (1 switches on core 2) [pid: 1|app: -|req: -/-] 100.64.2.23 ([email protected]) {66 vars in 1207 bytes} [Tue Jun 4 13:28:06 2024] GET /finding => generated 43677399 bytes in 46454 msecs (HTTP/1.1 200) 9 headers in 517 bytes (235 switches on core 1)

Cause
A generated huge drop down list

`...
  <option value="13144">Findings in: github.com/containerd/containerd:v1.5.9</option>
  <option value="13145">Findings in: github.com/docker/distribution:v2.7.1+incompatible</option>
  <option value="13146">Findings in: github.com/docker/docker:v20.10.7+incompatible</option>
  <option value="13147">Findings in: github.com/hashicorp/consul:v1.10.4</option>
  <option value="13148">Findings in: golang.org/x/crypto:v0.0.0-20220427172511-eb4f295cb31f</option>
  <option value="13149">Findings in: golang.org/x/net:v0.0.0-20220624214902-1bab6f366d9e</option>
  <option value="13150">Findings in: golang.org/x/text:v0.3.7</option>
  <option value="13151">Findings in: google.golang.org/grpc:v1.38.0</option>
  <option value="13152">Findings in: curl:7.88.1-r1</option>
  ...
`

Checklist

This checklist is for your information.

• Make sure to rebase your PR against the very latest dev.
• Features/Changes should be submitted against the dev.
• [] Bugfixes should be submitted against the bugfix branch.
• Give a meaningful name to your PR, as it may end up being used in the release notes.
• Your code is flake8 compliant.
• Your code is python 3.11 compliant.
• If this is a new feature and not a bug fix, you've included the proper documentation in the docs at https://github.com/DefectDojo/django-DefectDojo/tree/dev/docs as part of this PR.
• Model changes must include the necessary migrations in the dojo/db_migrations folder.
• Add applicable tests to the unit tests.
• Add the proper label to categorize your PR.

After fix screenshot
*** Changing the Finding Group filter from dropdown list to input ***

Moderators: Labels currently accepted for PRs:

• bugfix

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	❌	2 findings
Sensitive Files Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	2 findings
Secrets Analyzer	✅	0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request appear to be a set of Django filters used for filtering data in the Defect Dojo application. The filters cover various models, such as Findings, Endpoints, Products, Engagements, and Tests, and provide a comprehensive set of filtering capabilities to allow users to effectively search and analyze the data based on different criteria. The filters include both basic and more complex filtering options, and also include some custom methods and properties to ensure that the filtering is done in a secure and authorized manner. From an application security perspective, the filters help to prevent unauthorized access to sensitive information and ensure that the application's security controls are properly enforced.

Files Changed:

• dojo/filters.py: This file defines several filter classes that inherit from the DojoFilter class, which is a custom filter class that extends the django-filter library. The filters cover various models in the Defect Dojo application and provide a wide range of filtering capabilities, including text-based filters, date range filters, filters based on related models, and filters for tags and risk acceptance. The code also includes some helper classes and custom methods to ensure that the filtering is done in a secure and authorized manner.

Powered by DryRun Security

[Maffooch]

@raouf-haddada thank you for your contribution! I am very happy to see things like this :)

There has been an ongoing effort to transition to string based filtering rather than model based for the same reason you have outlined above. To make this a smooth transition, I ask that you please use the filter_string_matching toggle to allow users to determine how their filters will behave. Here are some examples of how to define your filter classes, as well as using the toggle to determine which class to load:

• Defining fitler classes
  • Example of common class for attributes shared between string based and object based filters
  • Example of object based filter class
  • Example of string based filter class
• Using the toggle to determine the filter class to load

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[dryrunsecurity]

DryRun Security Summary

The provided text indicates that there are no code changes or files changed to review, and the application security engineer is unable to provide a detailed summary without any specific changes to analyze.

Expand for full summary

Summary:

There are no code changes provided in the input, so I do not have any specific code changes to review or summarize. As an application security engineer, I would typically review any code changes in a pull request to ensure they do not introduce any security vulnerabilities or unintended consequences. However, without any changes to review, I cannot provide a detailed summary. I'm ready to assist you further once you provide the code changes you would like me to review.

Files Changed:

There are no files changed in the input provided.

Code Analysis

We ran 9 analyzers against 0 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.