Merge pull request #13453 from valentijnscholten/top-10-metrics

rossops · web-flow · commit f243b6d54d9d · 2025-10-20T09:43:43.000-05:00
Fix incorrect (inflated) numbers in top 10 metrics
diff --git a/dojo/metrics/utils.py b/dojo/metrics/utils.py
@@ -27,7 +27,6 @@
 from dojo.finding.helper import ACCEPTED_FINDINGS_QUERY, CLOSED_FINDINGS_QUERY, OPEN_FINDINGS_QUERY
 from dojo.finding.queries import get_authorized_findings
 from dojo.models import Endpoint_Status, Finding, Product_Type
-from dojo.product.queries import get_authorized_products
 from dojo.utils import (
     get_system_setting,
     queryset_check,
@@ -107,23 +106,49 @@ def finding_queries(
     monthly_counts = query_counts_for_period(MetricsPeriod.MONTH, months_between)
     weekly_counts = query_counts_for_period(MetricsPeriod.WEEK, weeks_between)
 
-    top_ten = get_authorized_products(Permissions.Product_View)
+    # Build Top 10 from all authorized Findings (not date-limited) to avoid empty lists due to date window
+    findings_for_top_ten = all_authorized_findings
+    if len(prod_type) > 0:
+        findings_for_top_ten = findings_for_top_ten.filter(
+            test__engagement__product__prod_type__in=prod_type,
+        )
     if get_system_setting("enforce_verified_status", True) or get_system_setting("enforce_verified_status_metrics", True):
-        top_ten = top_ten.filter(engagement__test__finding__verified=True)
-
-    top_ten = top_ten.filter(engagement__test__finding__false_p=False,
-                             engagement__test__finding__duplicate=False,
-                             engagement__test__finding__out_of_scope=False,
-                             engagement__test__finding__mitigated__isnull=True,
-                             engagement__test__finding__severity__in=("Critical", "High", "Medium", "Low"),
-                             prod_type__in=prod_type)
-
-    top_ten = severity_count(
-        top_ten, "annotate", "engagement__test__finding__severity",
-    ).order_by(
+        findings_for_top_ten = findings_for_top_ten.filter(verified=True)
+
+    findings_for_top_ten = findings_for_top_ten.filter(
+        false_p=False,
+        duplicate=False,
+        out_of_scope=False,
+        mitigated__isnull=True,
+        active=True,
+        risk_accepted=False,
+        severity__in=("Critical", "High", "Medium", "Low"),
+    )
+
+    # Group by product id/name and count findings by severity
+    top_ten = findings_for_top_ten.values(
+        product_id=F("test__engagement__product__id"),
+        product_name=F("test__engagement__product__name"),
+    )
+    top_ten = severity_count(top_ten, "annotate", "severity").order_by(
         "-critical", "-high", "-medium", "-low",
     )[:10]
 
+    # Remap keys to match template expectations (id/name)
+    top_ten = [
+        {
+            "id": row.get("product_id"),
+            "name": row.get("product_name"),
+            "critical": row.get("critical"),
+            "high": row.get("high"),
+            "medium": row.get("medium"),
+            "low": row.get("low"),
+            "info": row.get("info"),
+            "total": row.get("total"),
+        }
+        for row in top_ten
+    ]
+
     return {
         "all": filtered_findings,
         "closed": closed_filtered_findings,
@@ -217,19 +242,39 @@ def endpoint_queries(
     monthly_counts = query_counts_for_period(MetricsPeriod.MONTH, months_between)
     weekly_counts = query_counts_for_period(MetricsPeriod.WEEK, weeks_between)
 
-    top_ten = get_authorized_products(Permissions.Product_View)
-    top_ten = top_ten.filter(engagement__test__finding__status_finding__mitigated=False,
-                             engagement__test__finding__status_finding__false_positive=False,
-                             engagement__test__finding__status_finding__out_of_scope=False,
-                             engagement__test__finding__status_finding__risk_accepted=False,
-                             engagement__test__finding__severity__in=("Critical", "High", "Medium", "Low"),
-                             prod_type__in=prod_type)
-
-    top_ten = severity_count(
-        top_ten, "annotate", "engagement__test__finding__severity",
-    ).order_by(
+    # Build Top 10 from Findings related to the open Endpoint_Status queryset
+    findings_for_top_ten = findings_queryset(endpoints_qs).filter(
+        false_p=False,
+        duplicate=False,
+        out_of_scope=False,
+        risk_accepted=False,
+        severity__in=("Critical", "High", "Medium", "Low"),
+    )
+    if len(prod_type) > 0:
+        findings_for_top_ten = findings_for_top_ten.filter(
+            test__engagement__product__prod_type__in=prod_type,
+        )
+
+    top_ten = findings_for_top_ten.values(
+        product_id=F("test__engagement__product__id"),
+        product_name=F("test__engagement__product__name"),
+    )
+    top_ten = severity_count(top_ten, "annotate", "severity").order_by(
         "-critical", "-high", "-medium", "-low",
     )[:10]
+    top_ten = [
+        {
+            "id": row.get("product_id"),
+            "name": row.get("product_name"),
+            "critical": row.get("critical"),
+            "high": row.get("high"),
+            "medium": row.get("medium"),
+            "low": row.get("low"),
+            "info": row.get("info"),
+            "total": row.get("total"),
+        }
+        for row in top_ten
+    ]
 
     return {
         "all": endpoints,
diff --git a/dojo/metrics/views.py b/dojo/metrics/views.py
@@ -33,7 +33,7 @@
     identify_view,
     severity_count,
 )
-from dojo.models import Dojo_User, Finding, Product, Product_Type, Risk_Acceptance
+from dojo.models import Dojo_User, Finding, Product_Type, Risk_Acceptance
 from dojo.product.queries import get_authorized_products
 from dojo.product_type.queries import get_authorized_product_types
 from dojo.utils import (
@@ -355,15 +355,20 @@ def product_type_counts(request):
                     "reporter").order_by(
                     "numerical_severity")
 
-                top_ten = Product.objects.filter(engagement__test__finding__date__lte=end_date,
-                                                engagement__test__finding__verified=True,
-                                                engagement__test__finding__false_p=False,
-                                                engagement__test__finding__duplicate=False,
-                                                engagement__test__finding__out_of_scope=False,
-                                                engagement__test__finding__mitigated__isnull=True,
-                                                engagement__test__finding__severity__in=(
-                                                    "Critical", "High", "Medium", "Low"),
-                                                prod_type=pt)
+                # Build Top 10 from Findings for this product type
+                top_ten = Finding.objects.filter(
+                    date__lte=end_date,
+                    verified=True,
+                    false_p=False,
+                    duplicate=False,
+                    out_of_scope=False,
+                    mitigated__isnull=True,
+                    severity__in=("Critical", "High", "Medium", "Low"),
+                    test__engagement__product__prod_type=pt,
+                ).values(
+                    name=F("test__engagement__product__name"),
+                )
+                top_ten = severity_count(top_ten, "annotate", "severity").order_by("-critical", "-high", "-medium", "-low")[:10]
             else:
                 overall_in_pt = Finding.objects.filter(date__lt=end_date,
                                                     false_p=False,
@@ -400,16 +405,20 @@ def product_type_counts(request):
                     "reporter").order_by(
                     "numerical_severity")
 
-                top_ten = Product.objects.filter(engagement__test__finding__date__lte=end_date,
-                                                engagement__test__finding__false_p=False,
-                                                engagement__test__finding__duplicate=False,
-                                                engagement__test__finding__out_of_scope=False,
-                                                engagement__test__finding__mitigated__isnull=True,
-                                                engagement__test__finding__severity__in=(
-                                                    "Critical", "High", "Medium", "Low"),
-                                                prod_type=pt)
-
-            top_ten = severity_count(top_ten, "annotate", "engagement__test__finding__severity").order_by("-critical", "-high", "-medium", "-low")[:10]
+                top_ten = Finding.objects.filter(
+                    date__lte=end_date,
+                    false_p=False,
+                    duplicate=False,
+                    out_of_scope=False,
+                    mitigated__isnull=True,
+                    severity__in=("Critical", "High", "Medium", "Low"),
+                    test__engagement__product__prod_type=pt,
+                ).values(
+                    name=F("test__engagement__product__name"),
+                )
+                top_ten = severity_count(top_ten, "annotate", "severity").order_by("-critical", "-high", "-medium", "-low")[:10]
+
+            # top_ten already annotated above using Findings-based grouping
 
             cip = {"S0": 0,
                    "S1": 0,
@@ -557,15 +566,21 @@ def product_tag_counts(request):
                     "reporter").order_by(
                     "numerical_severity")
 
-                top_ten = Product.objects.filter(engagement__test__finding__date__lte=end_date,
-                                                engagement__test__finding__verified=True,
-                                                engagement__test__finding__false_p=False,
-                                                engagement__test__finding__duplicate=False,
-                                                engagement__test__finding__out_of_scope=False,
-                                                engagement__test__finding__mitigated__isnull=True,
-                                                engagement__test__finding__severity__in=(
-                                                    "Critical", "High", "Medium", "Low"),
-                                                tags__name=pt, engagement__product__in=prods)
+                # Build Top 10 from Findings for this product tag
+                top_ten = Finding.objects.filter(
+                    date__lte=end_date,
+                    verified=True,
+                    false_p=False,
+                    duplicate=False,
+                    out_of_scope=False,
+                    mitigated__isnull=True,
+                    severity__in=("Critical", "High", "Medium", "Low"),
+                    test__engagement__product__tags__name=pt,
+                    test__engagement__product__in=prods,
+                ).values(
+                    name=F("test__engagement__product__name"),
+                )
+                top_ten = severity_count(top_ten, "annotate", "severity").order_by("-critical", "-high", "-medium", "-low")[:10]
             else:
                 overall_in_pt = Finding.objects.filter(date__lt=end_date,
                                                     false_p=False,
@@ -605,16 +620,21 @@ def product_tag_counts(request):
                     "reporter").order_by(
                     "numerical_severity")
 
-                top_ten = Product.objects.filter(engagement__test__finding__date__lte=end_date,
-                                                engagement__test__finding__false_p=False,
-                                                engagement__test__finding__duplicate=False,
-                                                engagement__test__finding__out_of_scope=False,
-                                                engagement__test__finding__mitigated__isnull=True,
-                                                engagement__test__finding__severity__in=(
-                                                    "Critical", "High", "Medium", "Low"),
-                                                tags__name=pt, engagement__product__in=prods)
-
-            top_ten = severity_count(top_ten, "annotate", "engagement__test__finding__severity").order_by("-critical", "-high", "-medium", "-low")[:10]
+                top_ten = Finding.objects.filter(
+                    date__lte=end_date,
+                    false_p=False,
+                    duplicate=False,
+                    out_of_scope=False,
+                    mitigated__isnull=True,
+                    severity__in=("Critical", "High", "Medium", "Low"),
+                    test__engagement__product__tags__name=pt,
+                    test__engagement__product__in=prods,
+                ).values(
+                    name=F("test__engagement__product__name"),
+                )
+                top_ten = severity_count(top_ten, "annotate", "severity").order_by("-critical", "-high", "-medium", "-low")[:10]
+
+            # top_ten already annotated above using Findings-based grouping
 
             cip = {"S0": 0,
                    "S1": 0,
diff --git a/unittests/test_metrics_queries.py b/unittests/test_metrics_queries.py
@@ -80,7 +80,7 @@ def test_finding_queries(self, mock_timezone):
         mock_timezone.return_value = mock_datetime
 
         # Queries over Finding
-        with self.assertNumQueries(28):
+        with self.assertNumQueries(29):
             product_types = []
             finding_queries = utils.finding_queries(
                 product_types,
@@ -113,10 +113,12 @@ def test_finding_queries(self, mock_timezone):
                 finding_queries["accepted_count"],
                 {"total": 3, "critical": 0, "high": 3, "medium": 0, "low": 0, "info": 0},
             )
-            self.assertSequenceEqual(
-                finding_queries["top_ten"].values(),
-                [],
-            )
+            self.assertIsInstance(finding_queries["top_ten"], list)
+            for row in finding_queries["top_ten"]:
+                self.assertSetEqual(
+                    set(row.keys()),
+                    {"id", "name", "critical", "high", "medium", "low", "info", "total"},
+                )
             self.assertEqual(
                 finding_queries["monthly_counts"],
                 {
@@ -192,7 +194,7 @@ def test_endpoint_queries(self, mock_now):
         mock_now.return_value = fake_now
 
         # Queries over Finding and Endpoint_Status
-        with self.assertNumQueries(44):
+        with self.assertNumQueries(45):
             product_types = Product_Type.objects.all()
             endpoint_queries = utils.endpoint_queries(
                 product_types,
@@ -245,10 +247,12 @@ def test_endpoint_queries(self, mock_now):
                 list(endpoint_queries["accepted_count"].values()),
                 [1, 0, 0, 0, 0, 1],
             )
-            self.assertSequenceEqual(
-                endpoint_queries["top_ten"].values(),
-                [],
-            )
+            self.assertIsInstance(endpoint_queries["top_ten"], list)
+            for row in endpoint_queries["top_ten"]:
+                self.assertSetEqual(
+                    set(row.keys()),
+                    {"id", "name", "critical", "high", "medium", "low", "info", "total"},
+                )
             self.assertEqual(
                 list(endpoint_queries["monthly_counts"].values()),
                 [
