feat(docker): Use Python 3.12 in docker images #10473
Conversation
|
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The provided code changes are related to updating the base Docker images used in the deployment of a Django-based application. The key changes include:
From an application security perspective, the changes appear to be focused on maintaining the security and stability of the application's deployment environment. The updates to the base Python image, dependency management, and security-related configurations are all positive steps towards ensuring the overall security posture of the application. Files Changed:
Powered by DryRun Security |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
github-actions
bot
added
the
settings_changes
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
DryRun Security SummaryThis pull request updates various Dockerfiles and configuration files for the DefectDojo application, focusing on updating dependencies, improving build processes, and enhancing security-related settings to ensure the latest security patches are applied and secure practices are implemented. Expand for full summarySummary: The code changes in this pull request cover various Dockerfiles and configuration files for the DefectDojo application, with a focus on updating dependencies, improving build processes, and enhancing security-related settings. The key security-related changes include:
While the changes generally appear to be focused on improving the application's security and stability, it is important to thoroughly review the actual code changes, test the application's functionality, and monitor the deployed environment for any potential security issues. Files Changed:
Code AnalysisWe ran Riskiness🟢 Risk threshold not exceeded. |
kiblik
force-pushed
the
docker_python3.12
branch
2 times, most recently
from
d38b2b0 to
f290717
Compare
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
kiblik
force-pushed
the
docker_python3.12
branch
from
f290717 to
823092d
Compare
kiblik
force-pushed
the
docker_python3.12
branch
from
823092d to
cfd27eb
Compare
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Hey @kiblik I'm closing this one out for now until are ready to make this move |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
kiblik
force-pushed
the
docker_python3.12
branch
from
75966e4 to
cf7c2d0
Compare
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
|
@valentijnscholten, can we target this PR to |
|
We have a bunch of changes landing in 2.50.0 so I wonder if it makes sense to hold off till 2.51.0 for this change. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
kiblik
force-pushed
the
docker_python3.12
branch
from
cf7c2d0 to
e6e52d5
Compare
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
🟡 Please give this pull request extra attention during review.This pull request introduces notification descriptions in dojo/jira_link/views.py that directly interpolate user-controlled values (jform.cleaned_data['configuration_name'] and request.user) into f-strings without any escaping or encoding, creating a stored/reflected XSS risk when those descriptions are later rendered. The unsafe interpolations appear in multiple places (around the post method and edit flows) and could allow attackers to inject HTML/JS into notifications or pages.
🟡 Potential Cross-Site Scripting in
|
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | In dojo/jira_link/views.py (post method, around the change at line ~387) the patch interpolates user-controlled data directly into a notification description: description=f'JIRA "{jform.cleaned_data.get('configuration_name')}" was added by {request.user}'. The value returned from jform.cleaned_data['configuration_name'] comes from form input (user-supplied) and request.user (e.g. username) can also contain attacker-controlled content. Those values are passed into create_notification without any escaping or sanitization. If create_notification stores and later renders the description into an HTML response without proper output encoding, an attacker could supply markup or script in the configuration_name or user fields to produce stored XSS (malicious script executed in other users' browsers). |
django-DefectDojo/dojo/jira_link/views.py
Lines 387 to 393 in 64ad8e9
🟡 Potential Cross-Site Scripting in dojo/jira_link/views.py
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | In dojo/jira_link/views.py the patch adds the following interpolation in post(): description=f'JIRA "{jform.cleaned_data.get('configuration_name')}" was added by {request.user}', This inserts user-controlled data (jform.cleaned_data.get('configuration_name')) directly into a notification description without any escaping or encoding. jform.cleaned_data is populated from form input and can contain attacker-controlled values; interpolating it into a string that is likely stored and later rendered in HTML (notifications UI, pages, or JS-driven popups) creates a vector for stored or reflected XSS if that description is rendered into responses without proper output encoding. Additionally, {request.user} is interpolated and may include attacker-controllable display names. Because the change introduces raw user-supplied content into a field that will be shown to users, it can lead to cross-site scripting when rendered in an HTML/JS context. |
django-DefectDojo/dojo/jira_link/views.py
Lines 432 to 438 in 64ad8e9
🟡 Potential Cross-Site Scripting in dojo/jira_link/views.py
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | In dojo/jira_link/views.py (hunk around line 486) the patch adds a notification description constructed with an f-string that directly interpolates potentially attacker-controlled values: description=f'JIRA "{jform.cleaned_data.get("configuration_name")}" was edited by {request.user}'. The interpolated values are: - jform.cleaned_data.get('configuration_name'): comes from form input (user-supplied configuration name). - request.user: its string representation (username) can be controlled by a user account. Those values are concatenated into the notification description with no escaping or encoding at the point of construction. If create_notification persists this description and it is later rendered into an HTML response or notification UI without proper output-encoding/escaping, an attacker could include HTML or JavaScript in the configuration_name or username and cause stored XSS. The change therefore introduces a direct flow of unsanitized user input into content that is likely to be rendered to users, which can lead to cross-site scripting. |
django-DefectDojo/dojo/jira_link/views.py
Lines 486 to 492 in 64ad8e9
All finding details can be found in the DryRun Security Dashboard.
Try to exclude pkg_resources warning Exclude datetime.datetime.utcnow Apply regex Fix regex Be more specific for filterwarnings Correct module name Try to exclude only based on module
kiblik
force-pushed
the
docker_python3.12
branch
from
e6e52d5 to
8655614
Compare
|
I believe, this might be reviewed and merged. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
|
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Next try for #10333