Impact
The groups landing page header ("… · {{ total_logs }} log(s) · chain-of-custody intact") overstates the number of uploaded audit files whenever a file contains events for more than one group.
total_logs is computed by summing each group's audit_file_count:
groups = group_list_rows()
total_logs = sum(group.audit_file_count for group in groups)
and audit_file_count is a per-group Count("audit_events__audit_file", distinct=True) (forensics/analysis.py:130) — i.e. the number of distinct audit files that have at least one event in that group. The README explicitly supports multi-group uploads ("One uploaded file can contain multiple groups"), so a single AuditFile with events in groups A and B contributes 1 to A's count and 1 to B's count, and is therefore counted twice (or more) in the summed total_logs.
This is a forensic-integrity-adjacent display bug: the "logs" figure shown on the primary dashboard for an evidence tool no longer matches the real number of uploaded files.
Code pointers
forensics/views.py:38 — total_logs = sum(group.audit_file_count for group in groups).forensics/analysis.py:130 — audit_file_count=Count("audit_events__audit_file", distinct=True) (per-group, so files spanning groups are counted in each).forensics/templates/forensics/group_list.html:15 — renders {{ total_logs }} log{{ total_logs|pluralize }}.
Expected behavior
The "N logs" total should equal the actual number of distinct uploaded audit files, regardless of how many groups each spans.
Suggested fix
- Compute the total directly, e.g.
total_logs = AuditFile.objects.count() (or count files that have at least one event), instead of summing per-group counts.
- Add a regression test: ingest one file whose events span two
group_refs and assert the landing page reports 1 log, not 2.
Impact
The groups landing page header ("… · {{ total_logs }} log(s) · chain-of-custody intact") overstates the number of uploaded audit files whenever a file contains events for more than one group.
total_logsis computed by summing each group'saudit_file_count:and
audit_file_countis a per-groupCount("audit_events__audit_file", distinct=True)(forensics/analysis.py:130) — i.e. the number of distinct audit files that have at least one event in that group. The README explicitly supports multi-group uploads ("One uploaded file can contain multiple groups"), so a singleAuditFilewith events in groups A and B contributes1to A's count and1to B's count, and is therefore counted twice (or more) in the summedtotal_logs.This is a forensic-integrity-adjacent display bug: the "logs" figure shown on the primary dashboard for an evidence tool no longer matches the real number of uploaded files.
Code pointers
forensics/views.py:38—total_logs = sum(group.audit_file_count for group in groups).forensics/analysis.py:130—audit_file_count=Count("audit_events__audit_file", distinct=True)(per-group, so files spanning groups are counted in each).forensics/templates/forensics/group_list.html:15— renders{{ total_logs }} log{{ total_logs|pluralize }}.Expected behavior
The "N logs" total should equal the actual number of distinct uploaded audit files, regardless of how many groups each spans.
Suggested fix
total_logs = AuditFile.objects.count()(or count files that have at least one event), instead of summing per-group counts.group_refs and assert the landing page reports1log, not2.