django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Upgrade to 2.46 disables combined filters (substring, regex, duplicate params)

Open Hamudah opened this issue 6 months ago • 2 comments

Slack us first!
The invite link (https://owasp.org/slack/invite) currently shows “Oops! Looks like something went wrong or you are already signed up.”
I am not signed up and have retried several times—same result—so I’m opening the issue here instead.

Bug description

After upgrading to DefectDojo v2.46 we can no longer filter findings by multiple conditions on Engagement—either via the UI or deep links.

  • Previous behaviour (≤ v2.45)

    • A dropdown let us select one or more Engagements.
    • Deep links such as /finding/all?engagement=123 (and multiple IDs) returned the expected results.

  • Current behaviour (v2.46)

    • The Engagement dropdown has been removed and the old links no longer work.
    • The “Engagement name Contains” text field accepts exactly one plain substring:
      • develop → works (returns the correct findings).
      • Regex such as release|develop|25\.\d\d\d\.\dreturns 0 results even though matching Engagements exist.
    • Passing the same filter parameter twice in a URL no longer works—only the last value is honoured: 
      …/finding/all?test__engagement__name_contains=develop&
               test__engagement__name_contains=25.527.0

We need a true AND filter: findings whose Engagement name contains both develop and 25.527.0. This was possible before but appears impossible now.

Steps to reproduce

  1. Create (or verify) an Engagement named develop_25.527.0 and add at least one finding.
  2. Call
    …/finding/all?test__engagement__name_contains=develop
    1 result (works).
  3. Call
    …/finding/all?test__engagement__name_contains=release|develop|25\.\d\d\d\.\d
    0 results (should match).
  4. Call
    …/finding/all?test__engagement__name_contains=develop&test__engagement__name_contains=25.527.0
    0 results (AND filter expected, none returned).

Expected behavior

  • The UI or URL should allow combining several substrings with logical AND.
  • Regex patterns in Engagement name Contains should work as they did in earlier releases.
  • Deep links with repeated test__engagement__name_contains parameters should behave like Django-Filter normally does (AND).

If this is intended behaviour and not a bug, guidance on the recommended way to build multi-substring AND filters (or to apply several filters at once) would be greatly appreciated.
Note: even separating values with a comma (,) only applies the last value.

Thanks!
Hadumah

Hamudah avatar Jun 12 '25 13:06 Hamudah

From which to what version did you update?

valentijnscholten avatar Jun 12 '25 16:06 valentijnscholten

We were on Version 2.45 before that.

Hamudah avatar Jun 13 '25 11:06 Hamudah

Could you give more information on which pages you are seeing this? Is the All Findings page under a Product? I can see the engagement dropdown there and select multiple engagements: http://localhost:8080/product/1/finding/all?test__engagement=2&test__engagement=1&o=date

Regarding the RegEx I'm sure this has ever been supported, there's no reference to query filtering on regex in the 2.45.0 codebase (or any other version I've checked.

Could it be that there were code customizations made that have been lost as part of the upgrade?

valentijnscholten avatar Jun 20 '25 16:06 valentijnscholten

This issue has been automatically closed because it was manually labeled as stale. If you believe this was closed in error, please reopen it and remove the stale label.

github-actions[bot] avatar Jul 22 '25 02:07 github-actions[bot]

Hi @valentijnscholten ,

sorry for the late response.

  • Since v2.46 every Findings view—both /product//finding/all and the global /finding/all—shows only the “Engagement name contains” text field. The old multi-select Engagement dropdown has disappeared entirely.

  • With the text field we can filter by one engagement only. Any attempt to enter more than one engagement fails:

    -> commas, spaces, pipes, etc. → only the first value is used;

repeating test__engagement__name_contains in the URL behaves the same. Without the dropdown we’ve lost the ability to AND-filter across multiple engagements.

The Team, that informed me about this, has found a workaround for their use case, but the option is gone.

Thanks, Hadumah

Hamudah avatar Jul 23 '25 13:07 Hamudah

This still possible in the latest version: https://demo.defectdojo.org/finding?test__engagement=1&test__engagement=3&test__engagement=7

It sounds like you have enabled the string based filtering in system settings:

Image

When I enable that, the filters change slightly as described.

Could you try to disable this flag and see if the behaviour matches your previous experience?

valentijnscholten avatar Jul 23 '25 14:07 valentijnscholten

Yes that worked. I deactivated this flag and now it works as mentioned before. Thank you for the support and also sorry for the trouble! I was not aware of that.

Hamudah avatar Jul 23 '25 14:07 Hamudah