fix(helm-psql): Drop pinning of old version of postgresql

[kiblik]

Fix #10490

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes are related to the Helm chart configuration for the DefectDojo application, specifically the values.yaml file. The key changes include the removal of the image.tag property for the PostgreSQL database, indicating that the PostgreSQL version is now managed automatically or through a different configuration mechanism. Additionally, the patch removes the createMysqlSecret and createPostgresqlSecret flags, suggesting that the application is now using a different approach to manage database credentials, likely through the use of existing secrets or other external configuration sources.

From an application security perspective, the changes are positive and focus on improving the security and maintainability of the DefectDojo deployment. The application is now using PostgreSQL as the primary database, which generally has better security features and performance characteristics compared to MySQL. The removal of the secret creation flags indicates that the application is now relying on external secret management, a recommended security practice. The patch also includes configurations for enabling network policies, which can help restrict the network access to and from the DefectDojo pods, and proper Ingress configuration, ensuring secure external access to the application. Additionally, the security context configurations for the Django and Nginx containers, setting the runAsUser property to 1001, is a good practice to avoid running the containers as the root user, which can help mitigate potential privilege escalation vulnerabilities.

Files Changed:

• helm/defectdojo/values.yaml: This file contains the Helm chart configuration for the DefectDojo application. The key changes include:
  • Removal of the image.tag property for the PostgreSQL database, indicating that the PostgreSQL version is now managed automatically or through a different configuration mechanism.
  • Removal of the createMysqlSecret and createPostgresqlSecret flags, suggesting that the application is now using a different approach to manage database credentials, likely through the use of existing secrets or other external configuration sources.
  • Configuration for enabling network policies, which can help restrict the network access to and from the DefectDojo pods.
  • Ingress configuration, including enabling TLS and specifying the Ingress class, to ensure secure external access to the application.
  • Security context configurations for the Django and Nginx containers, setting the runAsUser property to 1001, to avoid running the containers as the root user.

Powered by DryRun Security

[mtesauro]

Approved