Release: Merge back 2.36.0 into bugfix from: master-into-bugfix/2.36.0-2.37.0-dev

[github-actions]

Release triggered by Maffooch

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	22 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover a wide range of updates and improvements to the DefectDojo application, including changes to the GitHub Actions workflows, Docker build configurations, documentation, and various application modules. The changes focus on enhancing the security, reliability, and functionality of the application.

Some key security-related highlights include:

1. Updating the database backend from MySQL to PostgreSQL and the message queue from RabbitMQ to Redis, which requires thorough testing and review to ensure secure configurations.
2. Improving the Docker image versioning, caching, and multi-arch support to ensure the integrity and security of the deployment environment.
3. Enhancing the authorization and exception handling mechanisms to provide better security and user experience.
4. Implementing rate limiting and account lockout functionality to protect against potential abuse or attacks.
5. Reviewing the handling of sensitive data, such as API keys, credentials, and security findings, to ensure proper security measures are in place.
6. Maintaining up-to-date dependencies and addressing potential security vulnerabilities.

Overall, the changes appear to be focused on improving the security, stability, and functionality of the DefectDojo application. As an application security engineer, I would recommend thoroughly reviewing the changes, testing the application in various environments, and ensuring that the security best practices are followed throughout the codebase and deployment process.

Files Changed:

1. .github/workflows/rest-framework-tests.yml: Updates the GitHub Actions workflow to run unit tests using a PostgreSQL database and a phased startup approach.
2. .github/workflows/build-docker-images-for-testing.yml: Updates the Docker build workflow to use the latest version of the docker/build-push-action and implement caching and multi-arch support.
3. .github/workflows/release-x-manual-docker-containers.yml: Updates the manual Docker release workflow to include versioning, tagging, and secure credential management.
4. .github/workflows/integration-tests.yml: Updates the integration test workflow to use PostgreSQL and Redis as the database and message queue backends, respectively.
5. components/package.json: Updates the project dependencies, which should be reviewed for any security-related changes.
6. Dockerfile.nginx-debian and Dockerfile.nginx-alpine: Updates the NGINX-based Docker images with a secure base image, least-privilege user, and environment variable configuration.
7. docker-compose.yml: Updates the Docker Compose configuration to use the latest versions of the PostgreSQL and Redis services.
8. Various Python files in the dojo/ directory: Includes changes to authorization, rate limiting, exception handling, report generation, and other application-level functionality, which should be reviewed for security implications.

Powered by DryRun Security