-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate Python-jose and migrate okta to python_social_auth #10117
Conversation
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🔴 Risk threshold exceeded. Adding a reviewer if one is configured in notification list: @mtesauro @grendel513 Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The changes in this pull request focus on updating the authentication backends, modifying a settings file hash, and updating the project's dependencies. From an application security perspective, these changes appear to be positive improvements that enhance the security of the DefectDojo application. The key changes include replacing the custom Additionally, the changes to the Overall, these changes seem to be focused on improving the security of the DefectDojo application by updating authentication mechanisms, verifying the integrity of configuration files, and maintaining secure dependencies. Files Changed:
Powered by DryRun Security |
I just saw that python-jose is used django-DefectDojo/dojo/okta.py Line 8 in f66e6db
We also have PyJWT in requirements.txt How about migrating okta.py to PyJWT? |
We could probably get rid of our version of the okta backend and instead use https://github.com/python-social-auth/social-core/blob/master/social_core/backends/okta.py At the time, the PR to add the okta backend https://github.com/python-social-auth/social-core was not getting in quick enough for DefectDojo, so we copied the code, and pasted it in here |
99d717f
to
9b39a66
Compare
Done @Maffooch. Could you give me feedback here? |
8c47756
to
908d443
Compare
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
As soon as you start reviewing it, I will resolve the conflicts here @Maffooch. Otherwise, I might have to resolve conflicts multiple times. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your patience @manuel-sommer this one got a little burried
5796680
to
7590c67
Compare
Conflicts have been resolved. A maintainer will review the pull request shortly. |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
@manuel-sommer Mind fixing the merge conflicts on this one so we can work on getting the remaining approvals? |
878efa5
to
e6513b1
Compare
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Done @mtesauro |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
62a394b
to
fe9dbb3
Compare
DryRun Security SummaryThe pull request focuses on several security-related updates to the DefectDojo application, including an authentication backend update, dependency updates, and an integrity verification update that raises some security concerns. Expand for full summarySummary: The code changes in this pull request focus on several security-related updates to the DefectDojo application:
Files Changed:
Code AnalysisWe ran
Riskiness🔴 Risk threshold exceeded. We've notified @mtesauro, @grendel513. |
Awesome, that we can get this on the road :-) |
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
@manuel-sommer Was about to merge this since it has 4 approvals - mind fixing the merge conflicts |
fe9dbb3
to
272e121
Compare
Conflicts have been resolved. A maintainer will review the pull request shortly. |
Done @mtesauro |
@manuel-sommer |
… kiuwan-sca # By dependabot[bot] (13) and others # Via GitHub * 'kiuwan-sca' of github.com:mwager/django-DefectDojo: (39 commits) Deprecate Python-jose and migrate okta to python_social_auth (DefectDojo#10117) fix: dockerfile warnings (DefectDojo#10505) Ruff: Add and fix Q000 (DefectDojo#10095) Fix(django): Upgrade of 4.2 (DefectDojo#10553) fix(deps): build python psycopg3 dependency instead of use the pre-build binary (DefectDojo#10491) Bump coverage from 7.5.4 to 7.6.0 (DefectDojo#10560) Bump asteval from 1.0.0 to 1.0.1 (DefectDojo#10561) Bump djangorestframework from 3.14.0 to 3.15.2 (DefectDojo#10431) Bump boto3 from 1.34.142 to 1.34.143 (DefectDojo#10558) Bump django-debug-toolbar from 4.4.5 to 4.4.6 (DefectDojo#10557) Bump boto3 from 1.34.141 to 1.34.142 (DefectDojo#10551) Bump packageurl-python from 0.15.2 to 0.15.3 (DefectDojo#10541) Bump boto3 from 1.34.140 to 1.34.141 (DefectDojo#10542) Update helm lock file Update versions in application files Update versions in application files API: Convert get_filterset calls to get_queryset (DefectDojo#10543) Bump django-debug-toolbar from 4.4.4 to 4.4.5 (DefectDojo#10527) Fix ruff Ruff fix ... # Conflicts: # dojo/settings/.settings.dist.py.sha256sum
Python-jose can be deprecated if we switch to python_social_auth