allow toggling of CVSS fields

Author: valentijnscholten

dojo/db_migrations/0234_finding_cvssv4_finding_cvssv4_score.py

@@ -32,4 +32,14 @@ class Migration(migrations.Migration):
             name='cvssv4_score',
             field=models.FloatField(blank=True, help_text='Numerical CVSS4 score for the vulnerability. If the vector is given without a score, the score is calcaulated while saving the finding. The value must be between 0-10.', null=True, validators=[django.core.validators.MinValueValidator(0.0), django.core.validators.MaxValueValidator(10.0)], verbose_name='CVSSv4 Score'),
         ),
+        migrations.AddField(
+            model_name='system_settings',
+            name='enable_cvss3_display',
+            field=models.BooleanField(default=True, help_text='With this setting turned off, CVSS3 fields will be hidden in the user interface.', verbose_name='Enable CVSS3 Display'),
+        ),
+        migrations.AddField(
+            model_name='system_settings',
+            name='enable_cvss4_display',
+            field=models.BooleanField(default=True, help_text='With this setting turned off, CVSS4 fields will be hidden in the user interface.', verbose_name='Enable CVSS4 Display'),
+        ),        
     ]

dojo/forms.py

@@ -1148,10 +1148,10 @@ class AddFindingForm(forms.ModelForm):
                            widget=forms.TextInput(attrs={"class": "datepicker", "autocomplete": "off"}))
     cwe = forms.IntegerField(required=False)
     vulnerability_ids = vulnerability_ids_field
-    cvssv3 = forms.CharField(max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
-    cvssv3_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
-    cvssv4 = forms.CharField(max_length=255, required=False)
-    cvssv4_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
+    cvssv3 = forms.CharField(label="CVSS3 Vector", max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
+    cvssv3_score = forms.FloatField(label="CVSS3 Score", required=False, max_value=10.0, min_value=0.0)
+    cvssv4 = forms.CharField(label="CVSS4 Vector", max_length=255, required=False)
+    cvssv4_score = forms.FloatField(label="CVSS4 Score", required=False, max_value=10.0, min_value=0.0)
     description = forms.CharField(widget=forms.Textarea)
     severity = forms.ChoiceField(
         choices=SEVERITY_CHOICES,
@@ -1200,6 +1200,9 @@ def __init__(self, *args, **kwargs):
 
         self.endpoints_to_add_list = []
 
+        # Hide CVSS fields based on system settings
+        hide_cvss_fields_if_disabled(self)
+
     def clean(self):
         cleaned_data = super().clean()
         if ((cleaned_data["active"] or cleaned_data["verified"]) and cleaned_data["duplicate"]):
@@ -1242,10 +1245,10 @@ class AdHocFindingForm(forms.ModelForm):
         required=False,
         disabled=True)
 
-    cvssv3 = forms.CharField(max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
-    cvssv3_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
-    cvssv4 = forms.CharField(max_length=255, required=False)
-    cvssv4_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
+    cvssv3 = forms.CharField(label="CVSS3 Vector", max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
+    cvssv3_score = forms.FloatField(label="CVSS3 Score", required=False, max_value=10.0, min_value=0.0)
+    cvssv4 = forms.CharField(label="CVSS4 Vector", max_length=255, required=False)
+    cvssv4_score = forms.FloatField(label="CVSS4 Score", required=False, max_value=10.0, min_value=0.0)
     description = forms.CharField(widget=forms.Textarea)
     severity = forms.ChoiceField(
         choices=SEVERITY_CHOICES,
@@ -1294,6 +1297,9 @@ def __init__(self, *args, **kwargs):
 
         self.endpoints_to_add_list = []
 
+        # Hide CVSS fields based on system settings
+        hide_cvss_fields_if_disabled(self)
+
     def clean(self):
         cleaned_data = super().clean()
         if ((cleaned_data["active"] or cleaned_data["verified"]) and cleaned_data["duplicate"]):
@@ -1334,10 +1340,10 @@ class PromoteFindingForm(forms.ModelForm):
         required=False,
         disabled=True)
 
-    cvssv3 = forms.CharField(max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
-    cvssv3_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
-    cvssv4 = forms.CharField(max_length=255, required=False)
-    cvssv4_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
+    cvssv3 = forms.CharField(label="CVSS3 Vector", max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
+    cvssv3_score = forms.FloatField(label="CVSS3 Score", required=False, max_value=10.0, min_value=0.0)
+    cvssv4 = forms.CharField(label="CVSS4 Vector", max_length=255, required=False)
+    cvssv4_score = forms.FloatField(label="CVSS4 Score", required=False, max_value=10.0, min_value=0.0)
     description = forms.CharField(widget=forms.Textarea)
     severity = forms.ChoiceField(
         choices=SEVERITY_CHOICES,
@@ -1371,6 +1377,9 @@ def __init__(self, *args, **kwargs):
 
         self.endpoints_to_add_list = []
 
+        # Hide CVSS fields based on system settings
+        hide_cvss_fields_if_disabled(self)
+
     def clean(self):
         cleaned_data = super().clean()
 
@@ -1405,10 +1414,10 @@ class FindingForm(forms.ModelForm):
         required=False,
         disabled=True)
 
-    cvssv3 = forms.CharField(max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
-    cvssv3_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
-    cvssv4 = forms.CharField(max_length=255, required=False)
-    cvssv4_score = forms.FloatField(required=False, max_value=10.0, min_value=0.0)
+    cvssv3 = forms.CharField(label="CVSS3 Vector", max_length=117, required=False, widget=forms.TextInput(attrs={"class": "cvsscalculator", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
+    cvssv3_score = forms.FloatField(label="CVSS3 Score", required=False, max_value=10.0, min_value=0.0)
+    cvssv4 = forms.CharField(label="CVSS4 Vector", max_length=255, required=False)
+    cvssv4_score = forms.FloatField(label="CVSS4 Score", required=False, max_value=10.0, min_value=0.0)
 
     description = forms.CharField(widget=forms.Textarea)
     severity = forms.ChoiceField(
@@ -1497,6 +1506,9 @@ def __init__(self, *args, **kwargs):
 
         self.endpoints_to_add_list = []
 
+        # Hide CVSS fields based on system settings
+        hide_cvss_fields_if_disabled(self)
+
     def clean(self):
         cleaned_data = super().clean()
 
@@ -1585,6 +1597,9 @@ def __init__(self, template=None, *args, **kwargs):
         if template:
             self.template.vulnerability_ids = "\n".join(template.vulnerability_ids)
 
+        # Hide CVSS fields based on system settings
+        hide_cvss_fields_if_disabled(self)
+
     def clean(self):
         cleaned_data = super().clean()
 
@@ -1613,7 +1628,7 @@ class FindingTemplateForm(forms.ModelForm):
 
     cwe = forms.IntegerField(label="CWE", required=False)
     vulnerability_ids = vulnerability_ids_field
-    cvssv3 = forms.CharField(max_length=117, required=False, widget=forms.TextInput(attrs={"class": "btn btn-secondary dropdown-toggle", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
+    cvssv3 = forms.CharField(label="CVSS3 Vector", max_length=117, required=False, widget=forms.TextInput(attrs={"class": "btn btn-secondary dropdown-toggle", "data-toggle": "dropdown", "aria-haspopup": "true", "aria-expanded": "false"}))
     severity = forms.ChoiceField(
         required=False,
         choices=SEVERITY_CHOICES,
@@ -1627,6 +1642,9 @@ def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.fields["tags"].autocomplete_tags = Finding.tags.tag_model.objects.all().order_by("name")
 
+        # Hide CVSS fields based on system settings
+        hide_cvss_fields_if_disabled(self)
+
     class Meta:
         model = Finding_Template
         order = ("title", "cwe", "vulnerability_ids", "cvssv3", "severity", "description", "impact")
@@ -3797,3 +3815,30 @@ def set_permission(self, codename):
         else:
             msg = "Neither user or group are set"
             raise Exception(msg)
+
+
+def hide_cvss_fields_if_disabled(form_instance):
+    """Hide CVSS fields based on system settings."""
+    enable_cvss3 = get_system_setting("enable_cvss3_display", True)
+    enable_cvss4 = get_system_setting("enable_cvss4_display", True)
+
+    # Hide CVSS3 fields if disabled
+    if not enable_cvss3:
+        if "cvssv3" in form_instance.fields:
+            del form_instance.fields["cvssv3"]
+        if "cvssv3_score" in form_instance.fields:
+            del form_instance.fields["cvssv3_score"]
+        if "cvss_info" in form_instance.fields:
+            del form_instance.fields["cvss_info"]
+
+    # Hide CVSS4 fields if disabled
+    if not enable_cvss4:
+        if "cvssv4" in form_instance.fields:
+            del form_instance.fields["cvssv4"]
+        if "cvssv4_score" in form_instance.fields:
+            del form_instance.fields["cvssv4_score"]
+
+    # If both are disabled, hide all CVSS related fields
+    if not enable_cvss3 and not enable_cvss4:
+        if "cvss_info" in form_instance.fields:
+            del form_instance.fields["cvss_info"]

dojo/models.py

@@ -598,6 +598,16 @@ class System_Settings(models.Model):
         blank=False,
         verbose_name=_("Enable Calendar"),
         help_text=_("With this setting turned off, the Calendar will be disabled in the user interface."))
+    enable_cvss3_display = models.BooleanField(
+        default=True,
+        blank=False,
+        verbose_name=_("Enable CVSS3 Display"),
+        help_text=_("With this setting turned off, CVSS3 fields will be hidden in the user interface."))
+    enable_cvss4_display = models.BooleanField(
+        default=True,
+        blank=False,
+        verbose_name=_("Enable CVSS4 Display"),
+        help_text=_("With this setting turned off, CVSS4 fields will be hidden in the user interface."))
     default_group = models.ForeignKey(
         Dojo_Group,
         null=True,
@@ -816,7 +826,7 @@ def clean(self):
 class Product_Type(models.Model):
 
     """
-    Product types represent the top level model, these can be business unit divisions, different offices or locations, development teams, or any other logical way of distinguishing “types” of products.
+    Product types represent the top level model, these can be business unit divisions, different offices or locations, development teams, or any other logical way of distinguishing "types" of products.
     `
        Examples:
          * IAM Team

dojo/templates/dojo/view_finding.html

@@ -290,10 +290,10 @@ <h3 class="pull-left finding-title">
                             <span class="label severity severity-{{ finding.severity }}">
                                 {% if finding.severity %}
                                     {{ finding.severity_display }}
-                                    {% if finding.cvssv4_score or finding.cvssv3_score %}
+                                    {% if system_settings.enable_cvss4_display and finding.cvssv4_score or system_settings.enable_cvss3_display and finding.cvssv3_score %}
                                         <i class="no-italics has-popover" font-style="normal" data-toggle="tooltip" data-placement="bottom" data-container="body" data-html="true" title="" href="#"
-                                            data-content="{% if finding.cvssv4 %}{{ finding.cvssv4 }} ({{ finding.cvssv4_score }}){% endif %}{% if finding.cvssv4 and finding.cvssv3 %}<br/>{% endif %}{% if finding.cvssv3 %}{{ finding.cvssv3 }} ({{ finding.cvssv3_score }}){% endif %}">
-                                        ({% if finding.cvssv4_score %}{{ finding.cvssv4_score }}{% if finding.cvssv3_score %}, {% endif %}{% endif %}{% if finding.cvssv3_score %}{{ finding.cvssv3_score }}{% endif %})</i>
+                                            data-content="{% if system_settings.enable_cvss4_display and finding.cvssv4 %}{{ finding.cvssv4 }} ({{ finding.cvssv4_score }}){% endif %}{% if system_settings.enable_cvss4_display and finding.cvssv4 and system_settings.enable_cvss3_display and finding.cvssv3 %}<br/>{% endif %}{% if system_settings.enable_cvss3_display and finding.cvssv3 %}{{ finding.cvssv3 }} ({{ finding.cvssv3_score }}){% endif %}">
+                                        ({% if system_settings.enable_cvss4_display and finding.cvssv4_score %}{{ finding.cvssv4_score }}{% if system_settings.enable_cvss3_display and finding.cvssv3_score %}, {% endif %}{% endif %}{% if system_settings.enable_cvss3_display and finding.cvssv3_score %}{{ finding.cvssv3_score }}{% endif %})</i>
                                     {% endif %}
                                 {% else %}
                                     Unknown
@@ -1169,9 +1169,9 @@ <h4>Credential
     <script type="application/javascript" src="{% static "jquery.hotkeys/jquery.hotkeys.js" %}"></script>
     <script type="text/javascript" src="{% static "jquery-highlight/jquery.highlight.js" %}"></script>
     <script type="text/javascript">
-        var firstID = {{findings_list.0}};
-        var currentID = {{finding.id}};
-        var lastID = {{findings_list_lastElement}};
+        var firstID = {% if findings_list.0 %}{{findings_list.0}}{% else %}null{% endif %};
+        var currentID = {% if finding.id %}{{finding.id}}{% else %}null{% endif %};
+        var lastID = {% if findings_list_lastElement %}{{findings_list_lastElement}}{% else %}null{% endif %};
         if(currentID != firstID)
         {
             $('.PrevAndNext_Buttons').append('<a href="{% url 'view_finding' prev_finding_id %}" class="btn btn-primary">Previous Finding</a> ');