Add status and notes columns to CSV/Excel exports (#13970)

- Add 'status' column showing finding status (Active, Verified, etc.)
- Add 'notes' column aggregating all public notes for each finding
- Filter out private notes from exports for privacy compliance
- Add prefetching for notes to avoid N+1 queries
- Follow existing patterns for multiline field handling (NEWLINE for CSV, actual newlines for Excel)

Fixes #8995

Author: valentijnscholten

dojo/reports/views.py

@@ -7,6 +7,7 @@
 from dateutil.relativedelta import relativedelta
 from django.conf import settings
 from django.core.exceptions import PermissionDenied
+from django.db.models import Prefetch
 from django.http import Http404, HttpRequest, HttpResponse, QueryDict
 from django.shortcuts import get_object_or_404, render
 from django.utils import timezone
@@ -28,7 +29,7 @@
 from dojo.finding.views import BaseListFindings
 from dojo.forms import ReportOptionsForm
 from dojo.labels import get_labels
-from dojo.models import Dojo_User, Endpoint, Engagement, Finding, Product, Product_Type, Test
+from dojo.models import Dojo_User, Endpoint, Engagement, Finding, Notes, Product, Product_Type, Test
 from dojo.reports.widgets import (
     CoverPage,
     CustomReportJsonForm,
@@ -642,7 +643,7 @@ def prefetch_related_findings_for_report(findings):
                                      "burprawrequestresponse_set",
                                      "endpoints",
                                      "tags",
-                                     "notes",
+                                     Prefetch("notes", queryset=Notes.objects.filter(private=False)),
                                      "files",
                                      "reporter",
                                      "mitigated_by",
@@ -815,6 +816,7 @@ def add_extra_values(self):
 
     def get(self, request):
         findings, _obj = get_findings(request)
+        findings = prefetch_related_findings_for_report(findings)
         self.findings = findings
         findings = self.add_findings_data()
         response = HttpResponse(content_type="text/csv")
@@ -850,6 +852,8 @@ def get(self, request):
                     "endpoints",
                     "vulnerability_ids",
                     "tags",
+                    "status",
+                    "notes",
                 ))
                 self.fields = fields
                 self.add_extra_headers()
@@ -913,6 +917,20 @@ def get(self, request):
                 tags_value = tags_value.removesuffix("; ")
                 fields.append(tags_value)
 
+                # Status
+                status_value = finding.status()
+                fields.append(status_value)
+
+                # Notes
+                notes_value = ""
+                for note in finding.notes.filter(private=False):
+                    note_entry = note.entry.replace("\n", " NEWLINE ").replace("\r", "")
+                    notes_value += f"{note_entry}; "
+                notes_value = notes_value.removesuffix("; ")
+                if len(notes_value) > EXCEL_CHAR_LIMIT:
+                    notes_value = notes_value[:EXCEL_CHAR_LIMIT - 3] + "..."
+                fields.append(notes_value)
+
                 self.fields = fields
                 self.finding = finding
                 self.add_extra_values()
@@ -935,6 +953,7 @@ def add_extra_values(self):
 
     def get(self, request):
         findings, _obj = get_findings(request)
+        findings = prefetch_related_findings_for_report(findings)
         self.findings = findings
         findings = self.add_findings_data()
         workbook = Workbook()
@@ -990,6 +1009,12 @@ def get(self, request):
                 cell = worksheet.cell(row=row_num, column=col_num, value="tags")
                 cell.font = font_bold
                 col_num += 1
+                cell = worksheet.cell(row=row_num, column=col_num, value="status")
+                cell.font = font_bold
+                col_num += 1
+                cell = worksheet.cell(row=row_num, column=col_num, value="notes")
+                cell.font = font_bold
+                col_num += 1
                 self.row_num = row_num
                 self.col_num = col_num
                 self.add_extra_headers()
@@ -1056,6 +1081,23 @@ def get(self, request):
                 tags_value = tags_value.removesuffix("; \n")
                 worksheet.cell(row=row_num, column=col_num, value=tags_value)
                 col_num += 1
+
+                # Status
+                status_value = finding.status()
+                worksheet.cell(row=row_num, column=col_num, value=status_value)
+                col_num += 1
+
+                # Notes
+                notes_value = ""
+                for note in finding.notes.filter(private=False):
+                    note_entry = note.entry.replace("\r", "")
+                    notes_value += f"{note_entry}; \n"
+                notes_value = notes_value.removesuffix("; \n")
+                if len(notes_value) > EXCEL_CHAR_LIMIT:
+                    notes_value = notes_value[:EXCEL_CHAR_LIMIT - 3] + "..."
+                worksheet.cell(row=row_num, column=col_num, value=notes_value)
+                col_num += 1
+
                 self.col_num = col_num
                 self.row_num = row_num
                 self.finding = finding