Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release: Merge back 2.36.1 into dev from: master-into-dev/2.36.1-2.37.0-dev #10538

Merged
merged 18 commits into from
Jul 8, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Jul 8, 2024

Release triggered by blakeaowens

Copy link

dryrunsecurity bot commented Jul 8, 2024

DryRun Security Summary

This pull request covers a wide range of updates to the Defect Dojo application, focusing on improving security, performance, and functionality, including changes to the GitHub Actions workflow, Renovate bot configuration, Docker Compose setup, documentation, and various parts of the Django-based application code.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates across the Defect Dojo application, with a focus on improving the application's security, performance, and functionality. The changes include updates to the GitHub Actions workflow for the Ruff Linter, the Renovate bot configuration, Docker Compose setup, documentation, and various parts of the Django-based application code.

From an application security perspective, the key improvements include:

  1. Removal of the pull_request_target event trigger from the GitHub Actions workflow, which reduces the potential attack surface and mitigates the risk of unauthorized access or modifications.
  2. Customizations to the Renovate bot configuration, including ignoring specific dependencies and setting up registry aliases, which can help manage the application's dependencies more securely.
  3. Improvements to the Docker-based test environment, such as setting the log level and using lightweight busybox images, which can enhance the overall security and maintainability of the test setup.
  4. Enhancements to the authorization and access control mechanisms throughout the Django application, ensuring that users can only access the resources they are authorized to view or modify.
  5. Optimizations to the database queries and ordering of results, which can improve the application's performance and security by reducing the risk of race conditions or other issues.

Overall, the changes in this pull request demonstrate a security-conscious approach to the Defect Dojo application's development and maintenance, with a focus on implementing best practices for secure software development.

Files Changed:

  1. .github/workflows/ruff.yml: The changes remove the pull_request_target event trigger and add the pull_request event trigger, which is a more secure configuration for the Ruff Linter workflow.
  2. .github/renovate.json: The changes include customizations to the Renovate bot configuration, such as ignoring specific dependencies and setting up registry aliases.
  3. docker-compose.override.unit_tests_cicd.yml: The changes update the environment variables and service configurations for the Docker-based unit test environment.
  4. docker-compose.override.unit_tests.yml: The changes remove the nginx service and simplify the configuration for other services in the Docker-based unit test environment.
  5. docs/config.dev.toml: The changes enable Mermaid diagram support and disable the guessSyntax option for code syntax highlighting in the documentation.
  6. docker/entrypoint-unit-tests.sh: The changes add several command-line arguments to the python3 manage.py test command, including --failfast, --shuffle, --parallel, and --exclude-tag="non-parallel", to improve the efficiency and reliability of the unit test suite.
  7. docker/entrypoint-unit-tests-devDocker.sh: Similar to the changes in the entrypoint-unit-tests.sh file, these changes also introduce the same command-line arguments for running the unit tests.
  8. docs/content/en/getting_started/upgrading/2.36.md: The changes provide guidance for upgrading the Defect Dojo application from version 2.35.x to 2.36.x, including the requirement to upgrade the underlying PostgreSQL database.
  9. And various other files related to the Defect Dojo application's code, including changes to authorization and access control mechanisms, API endpoints, and database queries.

Code Analysis

We ran 7 analyzers against 30 files and 3 analyzers had findings. 4 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 52 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

Signed-off-by: DefectDojo <[email protected]>
@blakeaowens blakeaowens closed this Jul 8, 2024
@blakeaowens blakeaowens reopened this Jul 8, 2024
Copy link

sonarqubecloud bot commented Jul 8, 2024

@blakeaowens blakeaowens merged commit f8cff1b into dev Jul 8, 2024
128 of 129 checks passed
@Maffooch Maffooch deleted the master-into-dev/2.36.1-2.37.0-dev branch July 9, 2024 21:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants