Release: Merge back 2.36.1 into dev from: master-into-dev/2.36.1-2.37.0-dev

[github-actions]

Release triggered by blakeaowens

[dryrunsecurity]

DryRun Security Summary

This pull request covers a wide range of updates to the Defect Dojo application, focusing on improving security, performance, and functionality, including changes to the GitHub Actions workflow, Renovate bot configuration, Docker Compose setup, documentation, and various parts of the Django-based application code.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates across the Defect Dojo application, with a focus on improving the application's security, performance, and functionality. The changes include updates to the GitHub Actions workflow for the Ruff Linter, the Renovate bot configuration, Docker Compose setup, documentation, and various parts of the Django-based application code.

From an application security perspective, the key improvements include:

1. Removal of the pull_request_target event trigger from the GitHub Actions workflow, which reduces the potential attack surface and mitigates the risk of unauthorized access or modifications.
2. Customizations to the Renovate bot configuration, including ignoring specific dependencies and setting up registry aliases, which can help manage the application's dependencies more securely.
3. Improvements to the Docker-based test environment, such as setting the log level and using lightweight busybox images, which can enhance the overall security and maintainability of the test setup.
4. Enhancements to the authorization and access control mechanisms throughout the Django application, ensuring that users can only access the resources they are authorized to view or modify.
5. Optimizations to the database queries and ordering of results, which can improve the application's performance and security by reducing the risk of race conditions or other issues.

Overall, the changes in this pull request demonstrate a security-conscious approach to the Defect Dojo application's development and maintenance, with a focus on implementing best practices for secure software development.

Files Changed:

1. .github/workflows/ruff.yml: The changes remove the pull_request_target event trigger and add the pull_request event trigger, which is a more secure configuration for the Ruff Linter workflow.
2. .github/renovate.json: The changes include customizations to the Renovate bot configuration, such as ignoring specific dependencies and setting up registry aliases.
3. docker-compose.override.unit_tests_cicd.yml: The changes update the environment variables and service configurations for the Docker-based unit test environment.
4. docker-compose.override.unit_tests.yml: The changes remove the nginx service and simplify the configuration for other services in the Docker-based unit test environment.
5. docs/config.dev.toml: The changes enable Mermaid diagram support and disable the guessSyntax option for code syntax highlighting in the documentation.
6. docker/entrypoint-unit-tests.sh: The changes add several command-line arguments to the python3 manage.py test command, including --failfast, --shuffle, --parallel, and --exclude-tag="non-parallel", to improve the efficiency and reliability of the unit test suite.
7. docker/entrypoint-unit-tests-devDocker.sh: Similar to the changes in the entrypoint-unit-tests.sh file, these changes also introduce the same command-line arguments for running the unit tests.
8. docs/content/en/getting_started/upgrading/2.36.md: The changes provide guidance for upgrading the Defect Dojo application from version 2.35.x to 2.36.x, including the requirement to upgrade the underlying PostgreSQL database.
9. And various other files related to the Defect Dojo application's code, including changes to authorization and access control mechanisms, API endpoints, and database queries.

Code Analysis

We ran 7 analyzers against 30 files and 3 analyzers had findings. 4 analyzers had no findings.

Analyzer	Findings
Configured Codepaths Analyzer	1 finding
Sensitive Files Analyzer	1 finding
Authn/Authz Analyzer	52 findings

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud