Improved naming of discovered findings filter and add same for mitigated

[quirinziessler]

This PR updates the naming of filters related to #10401 to be a bit more precise.
Also it adds the same filter options for the "mitigated" field.

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	❌	1 finding
Server-Side Request Forgery Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request appear to be focused on enhancing the filtering and search functionality of the Defect Dojo application. The changes introduce a comprehensive set of filters that cover various models, including Findings, Engagements, Products, Endpoints, and more. The filters are designed to respect the user's permissions and only show the data that the user is authorized to access. The code also includes specialized filters for specific use cases, such as finding findings that are outside of their SLA or accepted findings. Additionally, the code includes API-specific filters and filters for the Engagement Survey feature. Overall, these changes provide a powerful and flexible filtering system that will greatly improve the user experience and data management capabilities of the Defect Dojo application.

Files Changed:

• dojo/filters.py: This file contains the code for the filtering functionality in the Defect Dojo application. The changes introduce a wide range of filters that can be used to search and filter data across various models, including Findings, Engagements, Products, Endpoints, and more. The filters respect the user's permissions and include specialized filters for specific use cases, such as finding findings outside of their SLA or accepted findings. The code also includes API-specific filters and filters for the Engagement Survey feature, further enhancing the application's data management capabilities.

Powered by DryRun Security

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the filtering capabilities of the Defect Dojo application, particularly in the areas of security-related entities, with the introduction of new filters, enhanced tag-based filtering, performance optimizations, permissions-based filtering, and the addition of filters for metrics, reporting, and questionnaires/surveys.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the filtering capabilities of the Defect Dojo application, particularly in the areas of security-related entities such as Findings, Engagements, Products, and Endpoints. The key changes include the introduction of new filters, enhanced tag-based filtering, performance optimizations, permissions-based filtering, and the addition of filters for metrics, reporting, and questionnaires/surveys.

From an application security perspective, these changes are a positive step as they provide users with more granular control over the data they can access and analyze. The tag-based filtering, in particular, can be a powerful tool for categorizing and managing security findings. Additionally, the permissions-based filtering ensures that users can only access the data they are authorized to view, which is an important security consideration. Overall, these changes seem to be focused on improving the usability and functionality of the Defect Dojo application, with a strong emphasis on security-related features and capabilities.

Files Changed:

• dojo/filters.py: This file contains the application security filters for the Defect Dojo application. The changes introduce several new filters for various entities, such as Findings, Engagements, Products, and Endpoints. The key changes include improved filtering capabilities, tag-based filtering, performance optimizations, permissions-based filtering, and the addition of filters for metrics, reporting, and questionnaires/surveys.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	10 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[manuel-sommer]

Hi @mtesauro, could you take a look here? It would be nice if we can merge this for the next release :-)

[Maffooch]

@quirinziessler thank you for your patience here! I left a few comments for moving forward and getting these changes merged 😄

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[quirinziessler]

@Maffooch added your suggestions to the MR. Sorry for the late reaction. Should be good to go from now.

[mtesauro]

Approved