Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate Python-jose and migrate okta to python_social_auth #10117

Merged
merged 4 commits into from
Jul 13, 2024

Conversation

manuel-sommer
Copy link
Contributor

@manuel-sommer manuel-sommer commented May 4, 2024

Python-jose can be deprecated if we switch to python_social_auth

Copy link

dryrunsecurity bot commented May 4, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 2 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 1 finding
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 1 finding
Secrets Analyzer 0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on updating the authentication backends, modifying a settings file hash, and updating the project's dependencies. From an application security perspective, these changes appear to be positive improvements that enhance the security of the DefectDojo application.

The key changes include replacing the custom 'dojo.okta.OktaOAuth2' backend with the more widely-used 'social_core.backends.okta.OktaOAuth2' backend, which may provide better security practices and bug fixes. The order of the authentication backends has also been updated, which can be important for security.

Additionally, the changes to the requirements.txt file show that the project is using secure libraries, such as argon2-cffi for password hashing and djangosaml2 for SAML2 authentication. The removal of the Python-jose library, which has had security vulnerabilities in the past, is also a positive security improvement.

Overall, these changes seem to be focused on improving the security of the DefectDojo application by updating authentication mechanisms, verifying the integrity of configuration files, and maintaining secure dependencies.

Files Changed:

  1. dojo/settings/settings.dist.py: This file has been updated to replace the 'dojo.okta.OktaOAuth2' backend with the 'social_core.backends.okta.OktaOAuth2' backend and change the order of the authentication backends.
  2. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash value for the .settings.dist.py file has been updated, indicating that the contents of the settings file have been modified.
  3. requirements.txt: The project's dependencies have been updated, including the removal of the Python-jose library and the inclusion of several security-related libraries, such as cryptography, PyJWT, and argon2-cffi.

Powered by DryRun Security

@manuel-sommer
Copy link
Contributor Author

I just saw that python-jose is used

from jose import jwt

We also have PyJWT in requirements.txt How about migrating okta.py to PyJWT?

What is your opinion @Maffooch and @cneill ?

@manuel-sommer manuel-sommer marked this pull request as draft May 4, 2024 19:24
@manuel-sommer
Copy link
Contributor Author

@Maffooch
Copy link
Contributor

Maffooch commented May 6, 2024

We could probably get rid of our version of the okta backend and instead use https://github.com/python-social-auth/social-core/blob/master/social_core/backends/okta.py

At the time, the PR to add the okta backend https://github.com/python-social-auth/social-core was not getting in quick enough for DefectDojo, so we copied the code, and pasted it in here

@manuel-sommer manuel-sommer force-pushed the rm_pythonjose branch 2 times, most recently from 99d717f to 9b39a66 Compare May 14, 2024 07:25
@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label May 14, 2024
@manuel-sommer manuel-sommer changed the title remove Python-jose Deprecate Python-jose and migrate okta to python_social_auth May 14, 2024
@manuel-sommer manuel-sommer marked this pull request as ready for review May 14, 2024 07:31
@manuel-sommer
Copy link
Contributor Author

Done @Maffooch. Could you give me feedback here?

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@manuel-sommer
Copy link
Contributor Author

As soon as you start reviewing it, I will resolve the conflicts here @Maffooch. Otherwise, I might have to resolve conflicts multiple times.

Copy link
Contributor

@Maffooch Maffooch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your patience @manuel-sommer this one got a little burried

Copy link
Contributor

github-actions bot commented Jul 3, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Jul 3, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@mtesauro
Copy link
Contributor

mtesauro commented Jul 3, 2024

@manuel-sommer Mind fixing the merge conflicts on this one so we can work on getting the remaining approvals?

Copy link
Contributor

github-actions bot commented Jul 3, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@manuel-sommer
Copy link
Contributor Author

Done @mtesauro

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Copy link

dryrunsecurity bot commented Jul 11, 2024

DryRun Security Summary

The pull request focuses on several security-related updates to the DefectDojo application, including an authentication backend update, dependency updates, and an integrity verification update that raises some security concerns.

Expand for full summary

Summary:

The code changes in this pull request focus on several security-related updates to the DefectDojo application:

  1. Authentication Backend Update: The change in the authentication backend from "dojo.okta.OktaOAuth2" to "social_core.backends.okta.OktaOAuth2" is a positive security improvement, as it uses a more widely-used and maintained authentication library, which can help prevent potential security vulnerabilities.

  2. Dependency Updates: The changes to the requirements.txt file suggest that the application is undergoing updates to its security-related functionality, including improvements to software component management, vulnerability tracking, and user authentication. The removal of the Python-jose library and the addition of several new libraries, such as argon2-cffi and django-ratelimit, indicate a focus on enhancing the application's security posture.

  3. Integrity Verification Update: The change to the dojo/settings/.settings.dist.py.sha256sum file raises some security concerns, as it could potentially allow an attacker to modify the settings.dist.py file without being detected. This highlights the importance of implementing a robust integrity verification process to ensure the security of the application's configuration files.

Files Changed:

  1. dojo/settings/settings.dist.py: The changes in this file update the authentication backend for the DefectDojo application, replacing the "dojo.okta.OktaOAuth2" backend with the "social_core.backends.okta.OktaOAuth2" backend. This is a positive security improvement, as it uses a more widely-used and maintained authentication library.

  2. requirements.txt: The changes in this file remove the Python-jose library and add several new libraries, such as cpe, packageurl-python, django-ratelimit, and argon2-cffi. These changes suggest that the application is undergoing updates to its security-related functionality, including improvements to software component management, vulnerability tracking, and user authentication.

  3. dojo/settings/.settings.dist.py.sha256sum: The changes in this file update the SHA-256 checksum for the settings.dist.py file, indicating that the contents of the file have been modified. This raises some security concerns, as it could potentially allow an attacker to modify the settings.dist.py file without being detected.

Code Analysis

We ran 7 analyzers against 4 files and 3 analyzers had findings. 4 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 2 findings
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 1 finding

Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@manuel-sommer
Copy link
Contributor Author

Awesome, that we can get this on the road :-)

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@mtesauro
Copy link
Contributor

@manuel-sommer Was about to merge this since it has 4 approvals - mind fixing the merge conflicts

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@manuel-sommer
Copy link
Contributor Author

Done @mtesauro

@mtesauro
Copy link
Contributor

@manuel-sommer
Thank you sir!

@mtesauro mtesauro merged commit ca07945 into DefectDojo:dev Jul 13, 2024
122 of 123 checks passed
@manuel-sommer manuel-sommer deleted the rm_pythonjose branch July 13, 2024 07:22
mwager added a commit to mwager/django-DefectDojo that referenced this pull request Jul 16, 2024
… kiuwan-sca

# By dependabot[bot] (13) and others
# Via GitHub
* 'kiuwan-sca' of github.com:mwager/django-DefectDojo: (39 commits)
  Deprecate Python-jose and migrate okta to python_social_auth (DefectDojo#10117)
  fix: dockerfile warnings (DefectDojo#10505)
  Ruff: Add and fix Q000 (DefectDojo#10095)
  Fix(django): Upgrade of 4.2 (DefectDojo#10553)
  fix(deps): build python psycopg3 dependency instead of use the pre-build binary (DefectDojo#10491)
  Bump coverage from 7.5.4 to 7.6.0 (DefectDojo#10560)
  Bump asteval from 1.0.0 to 1.0.1 (DefectDojo#10561)
  Bump djangorestframework from 3.14.0 to 3.15.2 (DefectDojo#10431)
  Bump boto3 from 1.34.142 to 1.34.143 (DefectDojo#10558)
  Bump django-debug-toolbar from 4.4.5 to 4.4.6 (DefectDojo#10557)
  Bump boto3 from 1.34.141 to 1.34.142 (DefectDojo#10551)
  Bump packageurl-python from 0.15.2 to 0.15.3 (DefectDojo#10541)
  Bump boto3 from 1.34.140 to 1.34.141 (DefectDojo#10542)
  Update helm lock file
  Update versions in application files
  Update versions in application files
  API: Convert get_filterset calls to get_queryset (DefectDojo#10543)
  Bump django-debug-toolbar from 4.4.4 to 4.4.5 (DefectDojo#10527)
  Fix ruff
  Ruff fix
  ...

# Conflicts:
#	dojo/settings/.settings.dist.py.sha256sum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants