Merge branch 'master' of https://github.com/OWASP/django-DefectDojo

Author: devGregA

components/bower.json

@@ -1,5 +1,5 @@
 {
-  "name": "django-DefectDojo",
+  "name": "django-defectdojo",
   "version": "1.0",
   "homepage": "https://github.com/rackerlabs/django-DefectDojo",
   "authors": [

dojo/engagement/urls.py

@@ -4,7 +4,8 @@
 
 urlpatterns = [
     #  engagements and calendar
-    url(r'^calendar$', views.calendar, name='calendar'),
+    url(r'^calendar$', views.engagement_calendar, name='calendar'),
+    url(r'^calendar/engagements$', views.engagement_calendar, name='engagement_calendar'),
     url(r'^engagement$', views.engagement, name='engagement'),
     url(r'^engagement/new$', views.new_engagement, name='new_eng'),
     url(r'^engagement/(?P<eid>\d+)$', views.view_engagement,

dojo/engagement/views.py

@@ -2,6 +2,7 @@
 import logging
 import os
 from datetime import datetime, timedelta
+import operator
 
 from django.contrib.auth.models import User
 from django.conf import settings
@@ -23,7 +24,7 @@
 from dojo.models import Finding, Product, Engagement, Test, \
     Check_List, Test_Type, Notes, \
     Risk_Acceptance, Development_Environment, BurpRawRequestResponse, Endpoint, \
-    JIRA_PKey, JIRA_Conf, JIRA_Issue, Cred_User, Cred_Mapping
+    JIRA_PKey, JIRA_Conf, JIRA_Issue, Cred_User, Cred_Mapping, Dojo_User
 from dojo.tools.factory import import_parser_factory
 from dojo.utils import get_page_items, add_breadcrumb, handle_uploaded_threat, \
     FileIterWrapper, get_cal_event, message, get_system_setting
@@ -42,11 +43,24 @@
 
 @user_passes_test(lambda u: u.is_staff)
 @cache_page(60 * 5)  # cache for 5 minutes
-def calendar(request):
-    engagements = Engagement.objects.all()
-    add_breadcrumb(title="Calendar", top_level=True, request=request)
+def engagement_calendar(request):
+    if not 'lead' in request.GET or '0' in request.GET.getlist('lead'):
+        engagements = Engagement.objects.all()
+    else:
+        filters = []
+        leads = request.GET.getlist('lead','')
+        if '-1' in request.GET.getlist('lead'):
+            leads.remove('-1')
+            filters.append(Q(lead__isnull=True))
+        filters.append(Q(lead__in=leads))
+        engagements = Engagement.objects.filter(reduce(operator.or_, filters))
+
+    add_breadcrumb(title="Engagement Calendar", top_level=True, request=request)
     return render(request, 'dojo/calendar.html', {
-        'engagements': engagements})
+        'caltype': 'engagements',
+        'leads': request.GET.getlist('lead', ''),
+        'engagements': engagements,
+        'users': Dojo_User.objects.all()})
 
 
 @user_passes_test(lambda u: u.is_staff)

dojo/filters.py

@@ -753,6 +753,14 @@ def __init__(self, *args, **kwargs):
             self.form.fields['test__engagement__product'].queryset = Product.objects.filter(
                 authorized_users__in=[self.user])
 
+    @property
+    def qs(self):
+        parent = super(ReportAuthedFindingFilter, self).qs
+        if self.user.is_staff:
+            return parent
+        else:
+            return parent.filter(test__engagement__product__authorized_users__in=[self.user])
+
     class Meta:
         model = Finding
         exclude = ['date', 'cwe', 'url', 'description', 'mitigation', 'impact',

dojo/forms.py

@@ -568,7 +568,7 @@ def __init__(self, *args, **kwargs):
 
     class Meta:
         model = Test
-        fields = ['test_type', 'target_start', 'target_end', 'environment', 'percent_complete', 'tags']
+        fields = ['test_type', 'target_start', 'target_end', 'environment', 'percent_complete', 'tags', 'lead']
 
 
 class DeleteTestForm(forms.ModelForm):
@@ -582,7 +582,8 @@ class Meta:
                    'target_start',
                    'target_end',
                    'engagement',
-                   'percent_complete')
+                   'percent_complete',
+                   'lead')
 
 
 class AddFindingForm(forms.ModelForm):

dojo/models.py

@@ -702,8 +702,8 @@ def long_desc(self):
 
     def save(self, *args, **kwargs):
         super(Finding, self).save(*args, **kwargs)
-        if hasattr(settings, 'ENABLE_DEDUPLICATION'):
-            if settings.ENABLE_DEDUPLICATION and (len(self.endpoints.all()) != 0):
+        system_settings = System_Settings.objects.get()
+        if system_settings.enable_deduplication :
                 from dojo.tasks import async_dedupe
                 async_dedupe.delay(self, *args, **kwargs)
 
@@ -728,7 +728,7 @@ def severity_display(self):
                 return self.severity
 
         except:
-            return self.numerical_severity
+            return self.severity
 
     def get_breadcrumbs(self):
         bc = self.test.get_breadcrumbs()

dojo/product/views.py

@@ -412,7 +412,7 @@ def delete_product(request, pid):
 Status: in production
 """
 
-
+@user_passes_test(lambda u: u.is_staff)
 def all_product_findings(request, pid):
     p = get_object_or_404(Product, id=pid)
     result = ProductFindingFilter(

dojo/templates/base.html

@@ -29,9 +29,6 @@
     <!-- MetisMenu CSS -->
     <link href="{% static "metisMenu/dist/metisMenu.min.css" %}" rel="stylesheet">
 
-    <!-- Timeline CSS -->
-    <link href="{% static "startbootstrap-sb-admin-2/dist/css/timeline.css" %}" rel="stylesheet">
-
     <!-- Custom CSS -->
     <link href="{% static "startbootstrap-sb-admin-2/dist/css/sb-admin-2.css" %}" rel="stylesheet">
 
@@ -243,7 +240,7 @@
                             {% endif %}
                             {% if request.user.is_staff %}
                                 <li>
-                                    <a href="{% url 'calendar' %}"><i class="fa fa-calendar fa-fw"></i>
+                                    <a href="{% url 'engagement_calendar' %}"><i class="fa fa-calendar fa-fw"></i>
                                         <span>Calendar</span></a>
                                 </li>
                                 <li>

dojo/templates/dojo/calendar.html

@@ -1,11 +1,46 @@
 {% extends 'base.html' %}
+{% load static from staticfiles %}
+{% block add_css %}
+    <link rel="stylesheet" href="{% static "chosen-bootstrap/chosen.bootstrap.min.css" %}">
+{% endblock %}
 {% block content %}
+    <form method="GET" id="calfilter" action="/calendar">
+        <div class="container-fluid chosen-container side-by-side">
+            <div class="row">
+                <div class="col-lg-6" style="width:200px;">
+                    <select data-placeholder="Calendar type" id="caltype" class="chosen-select">
+                        <option value="engagements">Engagements</option>
+                        <option value="tests">Tests</option>
+                    </select>
+                </div>
+                <div class="col-lg-6" style="width:400px;">
+                    <select data-placeholder="All users" multiple id="lead" name="lead" class="chosen-select">
+                        <option value="0">All users</option>
+                        <option value="-1">Unassigned</option>
+                        {% for u in users %}
+                            <option value="{{ u.id }}">{{ u.username }}</option>
+                        {% endfor %}
+                    </select>
+                </div>
+                <div class="col-lg-6">
+                    <button class="btn btn-primary" type="submit">Apply</button>
+                </div>
+            </div>
+        </div>
+    </form>
+    <br/><br/>
     <div id="calendar"></div>
     <br/><br/>
 {% endblock %}
 {% block postscript %}
+    <script type="application/javascript" src="{% static "chosen/chosen.jquery.min.js" %}"></script>
     <script>
-        $(function () {
+          $(function () {
+            $('#caltype').change(function() { $('#calfilter').attr('action', '/calendar/' + $(this).val()); });
+            $(".chosen-select").chosen({disable_search_threshold: 10});
+            $('#caltype').val('{{ caltype }}'); $('#caltype').trigger('change');
+            $('#lead').val([{% for lead in leads %} '{{ lead }}', {% endfor %}]);
+            $('.chosen-select').trigger('chosen:updated');
             $('#calendar').fullCalendar({
                 header: {
                     left: 'prev,next today',
@@ -15,16 +50,29 @@
                 editable: false,
                 eventLimit: true, // allow "more" link when too many events
                 events: [
-                    {% for e in engagements %}
-                        {
-                            title: '{{e.product.name}}: {{ e.name|default:"Unknown" }}',
-                            start: '{{e.target_start|date:"c"}}',
-                            end: '{{e.target_end|date:"c"}}',
-                            url: '{% url 'view_engagement' e.id %}',
-                            color: {%  if e.active %}'#337ab7'{% else %}'#b9b9b9'{% endif %},
-                            overlap: true
-                        },
-                    {%  endfor %}
+                    {% if caltype == 'tests' %}
+                        {% for t in tests %}
+                            {
+                                title: '{{t.engagement.product.name}}: {{ t.engagement.name|default:"Unknown" }} - {{ t.test_type }} ({{ t.lead|default:"Unassigned" }})',
+                                start: '{{t.target_start|date:"c"}}',
+                                end: '{{t.target_end|date:"c"}}',
+                                url: '{% url 'view_test' t.id %}',
+                                color: {%  if t.engagement.active %}'#337ab7'{% else %}'#b9b9b9'{% endif %},
+                                overlap: true
+                            },
+                        {%  endfor %}                    
+                    {% else %}
+                        {% for e in engagements %}
+                            {
+                                title: '{{e.product.name}}: {{ e.name|default:"Unknown" }} ({{ e.lead|default:"Unassigned" }})',
+                                start: '{{e.target_start|date:"c"}}',
+                                end: '{{e.target_end|date:"c"}}',
+                                url: '{% url 'view_engagement' e.id %}',
+                                color: {%  if e.active %}'#337ab7'{% else %}'#b9b9b9'{% endif %},
+                                overlap: true
+                            },
+                        {%  endfor %}
+                    {% endif %}
                 ]
             });
 

dojo/test/urls.py

@@ -4,6 +4,7 @@
 
 urlpatterns = [
     #  tests
+    url(r'^calendar/tests$', views.test_calendar, name='test_calendar'),
     url(r'^test/(?P<tid>\d+)$', views.view_test,
         name='view_test'),
     url(r'^test/(?P<tid>\d+)/ics$', views.test_ics,