🐛 Remove unselected parsers from filters and test types (#13767)

* squashed commits

* remove unittest

* update

* update

* add unittest

* update

Author: manuel-sommer

docs/content/en/open_source/upgrading/2.54.md

@@ -1,7 +1,11 @@
 ---
 title: 'Upgrading to DefectDojo Version 2.54.x'
 toc_hide: true
-weight: -20251201
-description: No special instructions.
+weight: -20250804
+description: Dropped support for DD_PARSER_EXCLUDE
 ---
-There are no special instructions for upgrading to 2.54.x. Check the [Release Notes](https://github.com/DefectDojo/django-DefectDojo/releases/tag/2.54.0) for the contents of the release.
+
+To simplify the management of the DefectDojo application, parser exclusions are no longer controlled via the environment variable DD_PARSER_EXCLUDE or application settings. This variable is now unsupported.
+From now on, you should use the active flag in the Test_Type model to enable or disable parsers. Only parsers associated with active Test_Type entries will be available for use.
+
+There are other instructions for upgrading to 2.54.x. Check the Release Notes for the contents of the release.

dojo/filters.py

@@ -93,7 +93,7 @@
 from dojo.risk_acceptance.queries import get_authorized_risk_acceptances
 from dojo.test.queries import get_authorized_tests
 from dojo.user.queries import get_authorized_users
-from dojo.utils import get_system_setting, is_finding_groups_enabled, truncate_timezone_aware
+from dojo.utils import get_system_setting, get_visible_scan_types, is_finding_groups_enabled, truncate_timezone_aware
 
 logger = logging.getLogger(__name__)
 
@@ -2030,6 +2030,9 @@ def __init__(self, *args, **kwargs):
         # Don't show the product filter on the product finding view
         self.set_related_object_fields(*args, **kwargs)
 
+        if "test__test_type" in self.form.fields:
+            self.form.fields["test__test_type"].queryset = get_visible_scan_types()
+
     def set_related_object_fields(self, *args: list, **kwargs: dict):
         finding_group_query = Finding_Group.objects.all()
         if self.pid is not None:

dojo/finding/views.py

@@ -118,6 +118,7 @@
     get_page_items_and_count,
     get_return_url,
     get_system_setting,
+    get_visible_scan_types,
     get_words_for_field,
     match_finding_to_existing_findings,
     process_tag_notifications,
@@ -302,6 +303,7 @@ def get_initial_context(self, request: HttpRequest):
             "enable_table_filtering": get_system_setting("enable_ui_table_based_searching"),
             "title_words": get_words_for_field(Finding, "title"),
             "component_words": get_words_for_field(Finding, "component_name"),
+            "visible_test_types": get_visible_scan_types(),
         }
         # Look to see if the product was used
         if product_id := self.get_product_id():

dojo/settings/settings.dist.py

@@ -275,7 +275,6 @@
     # regular expression to exclude one or more parsers
     # could be usefull to limit parser allowed
     # AWS Scout2 Scan Parser is deprecated (see https://github.com/DefectDojo/django-DefectDojo/pull/5268)
-    DD_PARSER_EXCLUDE=(str, ""),
     # when enabled in sytem settings,  every minute a job run to delete excess duplicates
     # we limit the amount of duplicates that can be deleted in a single run of that job
     # to prevent overlapping runs of that job from occurrring
@@ -1853,9 +1852,6 @@ def saml2_attrib_map_format(din):
 # If using this, lines for Qualys WAS deduplication functions must be un-commented
 QUALYS_WAS_UNIQUE_ID = False
 
-# exclusion list for parsers
-PARSER_EXCLUDE = env("DD_PARSER_EXCLUDE")
-
 SERIALIZATION_MODULES = {
     "xml": "tagulous.serializers.xml_serializer",
     "json": "tagulous.serializers.json",

dojo/tools/factory.py

@@ -6,8 +6,6 @@
 from inspect import isclass
 from pathlib import Path
 
-from django.conf import settings
-
 from dojo.models import Test_Type, Tool_Configuration, Tool_Type
 
 PARSERS = {}
@@ -37,12 +35,12 @@ def get_parser(scan_type):
     if scan_type not in PARSERS:
         msg = f"Parser '{scan_type}' does not exist"
         raise ValueError(msg)
-    rg = re.compile(settings.PARSER_EXCLUDE)
-    if not rg.match(scan_type) or not settings.PARSER_EXCLUDE.strip():
-        # update DB dynamically
-        test_type, _ = Test_Type.objects.get_or_create(name=scan_type)
-        if test_type.active:
-            return PARSERS[scan_type]
+
+    # update DB dynamically
+    test_type, _ = Test_Type.objects.get_or_create(name=scan_type)
+    if test_type.active:
+        return PARSERS[scan_type]
+
     msg = f"Parser {scan_type} is not active"
     raise ValueError(msg)
 

dojo/utils.py

@@ -68,6 +68,7 @@
     Product,
     System_Settings,
     Test,
+    Test_Type,
     User,
 )
 from dojo.notifications.helper import create_notification
@@ -83,6 +84,11 @@
 """
 
 
+def get_visible_scan_types():
+    """Returns a QuerySet of active Test_Type objects."""
+    return Test_Type.objects.filter(active=True)
+
+
 def do_false_positive_history(finding, *args, **kwargs):
     """
     Replicate false positives across product.

unittests/test_test_type_active_toggle.py

@@ -0,0 +1,26 @@
+
+from django.test import TestCase
+
+from dojo.filters import FindingFilter
+from dojo.models import Test_Type
+from dojo.utils import get_visible_scan_types
+
+
+class TestFindingFilterActiveInactiveTestTypes(TestCase):
+    def setUp(self):
+        self.active_type = Test_Type.objects.create(name="Nessus Scan", active=True)
+        self.inactive_type = Test_Type.objects.create(name="Burp Scan", active=False)
+
+    def test_only_active_types_in_filter(self):
+        filter_instance = FindingFilter(data={})
+        self.assertIn("test__test_type", filter_instance.form.fields)
+        queryset = filter_instance.form.fields["test__test_type"].queryset
+        actual_names = set(queryset.values_list("name", flat=True))
+        self.assertIn(self.active_type.name, actual_names)
+        self.assertNotIn(self.inactive_type.name, actual_names)
+
+    def test_helper_function_returns_only_active(self):
+        visible = get_visible_scan_types()
+        names = set(visible.values_list("name", flat=True))
+        self.assertIn(self.active_type.name, names)
+        self.assertNotIn(self.inactive_type.name, names)