Skip to content

Add status and notes columns to CSV/Excel exports #13970

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
valentijnscholten wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Add status and notes columns to CSV/Excel exports #13970

valentijnscholten wants to merge 1 commit into from
+44 −2

Conversation

@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented Dec 23, 2025
edited
Loading

Description

This PR implements feature request #8995: Add 'status' and 'notes' columns to Excel/CSV exports of findings.

Changes

  • ✅ Add 'status' column showing finding status (Active, Verified, Mitigated, etc.)
  • ✅ Add 'notes' column aggregating all public notes for each finding
  • ✅ Filter out private notes from exports for privacy compliance (consistent with report generation)
  • ✅ Add prefetching for notes to avoid N+1 queries
  • ✅ Follow existing patterns for multiline field handling:
    • CSV: Replace newlines with " NEWLINE " for compatibility
    • Excel: Preserve actual newlines within cells

Implementation Details

  • Status uses the existing finding.status() method which returns a human-readable comma-separated string
  • Notes are filtered to exclude private notes (private=False)
  • Prefetching uses Prefetch with filtered queryset to optimize database queries
  • Both CSV and Excel exports respect EXCEL_CHAR_LIMIT truncation

Fixes #8995

@valentijnscholten
Add status and notes columns to CSV/Excel exports
eee69f8 
- Add 'status' column showing finding status (Active, Verified, etc.)
- Add 'notes' column aggregating all public notes for each finding
- Filter out private notes from exports for privacy compliance
- Add prefetching for notes to avoid N+1 queries
- Follow existing patterns for multiline field handling (NEWLINE for CSV, actual newlines for Excel)

Fixes DefectDojo#8995
@valentijnscholten valentijnscholten linked an issue Dec 23, 2025 that may be closed by this pull request
Excel / CSV Export of the Findings with the Status and Notes columns #8995
Closed
@valentijnscholten valentijnscholten added this to the 2.54.0 milestone Dec 23, 2025
@dryrunsecurity
Copy link

dryrunsecurity bot commented Dec 23, 2025

DryRun Security

This pull request includes CSV and Excel formula injection findings: unsanitized user-controlled note entries are concatenated into CSV fields and written directly into Excel cells, allowing leading characters like =, +, -, or @ to be interpreted as formulas and potentially execute malicious actions when opened in spreadsheet programs. Both issues are noted in dojo/reports/views.py and should be mitigated by sanitizing or escaping leading formula-trigger characters before exporting.

CSV/Formula Injection in dojo/reports/views.py
Vulnerability CSV/Formula Injection
Description The code creates a list of finding notes for CSV export by directly concatenating un-sanitized user input (note.entry) into a field. If a note entry begins with a character recognized as a formula trigger (such as '=', '+', '-', or '@'), a user opening the exported CSV in a spreadsheet program will execute the formula, which can lead to data theft or command execution on their machine.

django-DefectDojo/dojo/reports/views.py

Lines 926 to 928 in eee69f8

for note in finding.notes.filter(private=False):
note_entry = note.entry.replace("\n", " NEWLINE ").replace("\r", "")
notes_value += f"{note_entry}; "

Excel Formula Injection in dojo/reports/views.py
Vulnerability Excel Formula Injection
Description User-controlled content from finding notes (note.entry) is written directly to an Excel cell via worksheet.cell(..., value=notes_value) without sanitizing or escaping characters that trigger formula parsing (e.g., =, +, -, @). This allows an attacker to inject malicious formulas into the exported report.

django-DefectDojo/dojo/reports/views.py

Lines 1098 to 1101 in eee69f8

worksheet.cell(row=row_num, column=col_num, value=notes_value)
col_num += 1
self.col_num = col_num

All finding details can be found in the DryRun Security Dashboard.

mtesauro
mtesauro approved these changes Dec 24, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

@Jino-T Jino-T Awaiting requested review from Jino-T

At least 4 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.54.0

Development

Successfully merging this pull request may close these issues.

Excel / CSV Export of the Findings with the Status and Notes columns

4 participants

@valentijnscholten @mtesauro @Maffooch @blakeaowens