Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feat(psql): Use psycopg3 #10348

Merged
merged 2 commits into from
Jul 3, 2024
Merged

Feat(psql): Use psycopg3 #10348

merged 2 commits into from
Jul 3, 2024

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jun 6, 2024

Django 4.2 introduced support for Psycopg 3

Psycopg 3 support
Django now supports psycopg version 3.1.8 or higher. To update your code, install the psycopg library, you don’t need to change the ENGINE as django.db.backends.postgresql supports both libraries.

Support for psycopg2 is likely to be deprecated and removed at some point in the future.
Source: https://docs.djangoproject.com/en/5.0/releases/4.2/#psycopg-3-support

This PR is blocked by #9493

Copy link

dryrunsecurity bot commented Jun 6, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 1 finding
Server-Side Request Forgery Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on updating the requirements.txt file for the DefectDojo project, which is a web application for managing software vulnerabilities. The key changes include updating the psycopg2-binary package to psycopg[binary]==3.1.19 and the Pillow package to version 10.4.0. These updates are likely security-related, as the previous versions of these packages may have had known vulnerabilities.

From an application security perspective, the changes are positive as they help maintain the security posture of the application by keeping dependencies up-to-date and addressing potential security vulnerabilities. The application security engineer should review the changes carefully to ensure that the updated dependencies do not introduce any new vulnerabilities or compatibility issues. Additionally, the presence of some outdated dependencies, such as django-multiselectfield and django-tagging, should be closely monitored, and a plan should be in place to eventually replace them with more secure alternatives.

Files Changed:

  • requirements.txt: This file has been updated to include the following changes:
    • The psycopg2-binary package has been updated to psycopg[binary]==3.1.19, which is likely a security-related update.
    • The Pillow package has been updated to version 10.4.0, which is also a security-related update.
    • Some outdated dependencies, such as django-multiselectfield and django-tagging, are still being used for migration purposes, but should be closely monitored and eventually replaced with more secure alternatives.

Powered by DryRun Security

@Maffooch Maffooch marked this pull request as ready for review June 14, 2024 23:56
@Maffooch
Copy link
Contributor

Moved out of draft as tests are passing now

Copy link
Contributor

github-actions bot commented Jul 2, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Jul 2, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit 3b14123 into DefectDojo:dev Jul 3, 2024
125 checks passed
@kiblik kiblik deleted the Psycopg3 branch July 3, 2024 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants