bugfix: use subquery for (finding) counts#12784
Merged
Maffooch merged 4 commits intoJul 21, 2025
Merged
Conversation
|
This pull request contains three low-risk findings: a potential subquery injection vulnerability in query utilities, a CVSS parsing function that might return None unexpectedly, and a potential configuration risk from adding
Potential Subquery Injection in
|
| Vulnerability | Potential Subquery Injection |
|---|---|
| Description | In the build_count_subquery function in dojo/query_utils.py, the group_field parameter is directly used in model_qs.values() without validation. While Django's ORM provides protection, there's a theoretical risk of information disclosure or unexpected query behavior if an attacker can control the input. |
django-DefectDojo/dojo/query_utils.py
Lines 1 to 10 in 6ea44f3
Potential CVSS Parsing Error in dojo/utils.py
| Vulnerability | Potential CVSS Parsing Error |
|---|---|
| Description | In the parse_cvss_data function in dojo/utils.py, the removal of the explicit return {} means the function will now implicitly return None when no valid CVSS3 vector is found. This could lead to unexpected behavior in downstream code that expects a dictionary, potentially causing errors in security-sensitive contexts like risk calculation. |
django-DefectDojo/dojo/utils.py
Lines 2682 to 2684 in 6ea44f3
Potential Gitignore Configuration Risk in .gitignore
| Vulnerability | Potential Gitignore Configuration Risk |
|---|---|
| Description | The addition of .cursor-rules to .gitignore could potentially lead to configuration drift or inconsistent security settings if this file contains critical configuration that should be version-controlled. The risk depends on the specific contents of the .cursor-rules file. |
Lines 147 to 150 in 6ea44f3
All finding details can be found in the DryRun Security Dashboard.
Maffooch
approved these changes
Jul 21, 2025
rossops
approved these changes
Jul 21, 2025
dogboat
approved these changes
Jul 21, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On Slack a user reported an exception involving an invalid Postgres query in Defect Dojo 2.47.3.
This code hasn't been changed since a long time, so it's unclear why this pops up now. It could be related to a very specific dataset or data that was create long ago and was migrated over time in Django migrations.
Either way, this code is using the old aggrgation via group by constructs. In 2.48.0 via #12575 these were changed into subquery counts. This was not done for
view_testwhere a list of findings is also rendered. This used its own almost identical copy ofprefetch_for_findingswhich still used the old construct.django-DefectDojo/dojo/test/views.py
Lines 112 to 113 in 9b52e50
This PR changes
view_testto use that existing and optimizedprefetch_for_findingsmethod that doesn't use aggregation via group by anymore. I had to move around some methods to avoid circular imports.ADDED: The use on Slack reported more group by errors in other places. It's almost as if their Postgres is more strict than what we are using? These code paths haven't changed in years and have been running fine. Still it is good if we adopt the code base to comply with these group by rules. But as we have been moving from
Countwith GROUP BY to using subqueries, I have updated all remainingCountinstances to use subqueries insead. Should get rid of the GROUP BY errors and improve performance for large datasets.