feat(django): Upgrade to 5.0 #10409

kiblik · 2024-06-15T08:11:16Z

We released 4.2 so we can start migration to 5.0

Needs to be considered: https://docs.djangoproject.com/en/5.0/releases/5.0

Needs to be fixed (to be able to upgrade)

fix(multiselectfield): Use original repo #10420

Post upgrade improvements (new useful features):

choices: From list of tuples to dict https://docs.djangoproject.com/en/5.0/releases/5.0/#more-options-for-declaring-field-choices

dryrunsecurity · 2024-06-15T08:11:35Z

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Server-Side Request Forgery Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
IDOR Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request primarily focus on updating the dependencies and configurations for the DefectDojo application. The key changes include:

Updating the Django version from 4.2.13 to 5.0.6, which is a significant version jump and requires careful review of the release notes and changelogs to understand any potential security-related changes or improvements.
Updating the django-multiselectfield library to the latest stable version, which is a positive change to benefit from bug fixes and security improvements.
Replacing the outdated django-tagging library with a direct reference to the newer django-tagging repository on GitHub, indicating a move towards a more secure solution.
Adding new dependencies, such as drf-spectacular, django-ratelimit, and argon2-cffi, which should be reviewed to ensure they are legitimate and necessary for the application, and that they do not introduce any known security vulnerabilities.
Adding Celery-related dependencies, which suggests the application is using asynchronous task processing. This functionality should be reviewed for any potential security implications, such as ensuring that tasks are properly validated and authorized.
Including the cryptography library, which indicates that the application is handling sensitive data and utilizing cryptographic functions. The specific use cases and implementation details should be reviewed to ensure that the cryptography is being used correctly and securely.

Files Changed:

dojo/settings/settings.dist.py: This file is the default settings file for the DefectDojo application. The change sets the FORMS_URLFIELD_ASSUME_HTTPS setting to True to address a warning related to the default scheme for URLField in Django 6.0. This change does not directly impact the security of the application but is a good practice to keep the application's dependencies and configurations up-to-date.
dojo/settings/.settings.dist.py.sha256sum: This file is a checksum file for the settings.dist.py configuration file. The change updates the checksum value, indicating that the settings.dist.py file has been modified. Verifying the integrity of configuration files through checksum validation is a good security practice.
requirements.txt: This file contains the list of dependencies for the DefectDojo application. The changes include updating the Django version, replacing the django-tagging library, adding new dependencies, and including Celery-related and cryptography-related dependencies. These changes should be reviewed carefully to ensure they do not introduce any security vulnerabilities.

Powered by DryRun Security

github-actions · 2024-06-17T21:17:37Z