Django AuditLog: Upgrade to 3.x

[Maffooch]

django-auditlog has a new version that will make filtering and other things more efficient

[sc-5527]

[dryrunsecurity]

DryRun Security Summary

The pull request implements various security-focused improvements to the DefectDojo application, including optimized GitHub Actions workflows, enhanced deduplication logic, better false positive handling, updated audit logging, and general bug fixes, all aimed at improving the application's ability to track and manage security-related data.

Expand for full summary

Summary:

The code changes in this pull request cover a wide range of updates to the DefectDojo application, primarily focused on improving the application's security-related functionality, such as the handling of duplicate findings, false positive history, and GitHub Actions workflows.

The key security-related changes include:

1. Optimizations to the GitHub Actions workflows, including the use of the --no-deps flag to start only the necessary services, which can help improve the reliability and efficiency of the testing process.
2. Improvements to the deduplication logic, including the introduction of a new _copy_model_util function and updates to the Finding model to calculate and store a hash code for better deduplication.
3. Enhancements to the handling of false positive findings, including the ability to propagate the false positive status across related findings, tests, and engagements.
4. Updates to the audit log functionality, including the migration to a more structured JSON format and the introduction of new configuration settings.
5. Miscellaneous bug fixes and code cleanups, such as the removal of legacy helper scripts and the diversification of disclaimer fields.

From an application security perspective, these changes generally appear to be positive, as they focus on improving the security-related features and functionality of the DefectDojo application. The changes to the deduplication logic, false positive handling, and audit log management are particularly noteworthy, as they can have a direct impact on the application's ability to accurately track and manage security-related data.

However, as with any code changes, it's important to thoroughly review and test the implementation to ensure that no new security vulnerabilities are introduced. Additionally, the application's overall security posture should be regularly assessed, including aspects such as input validation, authentication, authorization, and secure coding practices.

Files Changed:

1. .github/workflows/rest-framework-tests.yml, .github/workflows/integration-tests.yml, and .github/workflows/fetch-oas.yml: These files contain updates to the GitHub Actions workflows, primarily focused on optimizing the startup of Docker Compose services during the testing process.
2. docs/content/en/open_source/upgrading/2.43.md: This file contains information about the changes introduced in version 2.43 of the DefectDojo application, including the audit log migration, the removal of legacy helper scripts, and the diversification of disclaimer fields.
3. requirements.txt: This file updates the django-auditlog package from version 2.3.0 to 3.0.0.
4. dojo/templatetags/display_tags.py: This file includes a security-focused change to use the literal_eval function instead of json.loads when parsing the value string in the action_log_entry filter.
5. dojo/settings/settings.dist.py: This file includes changes to the audit log and other settings that could have security implications and should be reviewed carefully.
6. unittests/test_copy_model.py, dojo/models.py, unittests/test_duplication_loops.py, unittests/test_deduplication_logic.py, unittests/test_utils_deduplication_reopen.py, and unittests/test_false_positive_history_logic.py: These files contain changes and additions to the test suite, focusing on the deduplication, false positive handling, and related functionality of the application.

Code Analysis

We ran 9 analyzers against 13 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[Maffooch]

These tests run and pass locally... Closing and reopening