Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(docker): Use Python 3.12 in docker images #10473

Draft
wants to merge 8 commits into
base: dev
Choose a base branch
from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jun 28, 2024

Next try for #10333

Copy link

dryrunsecurity bot commented Jun 28, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes are related to updating the base Docker images used in the deployment of a Django-based application. The key changes include:

  1. Upgrading the base Python image from version 3.11.9 to 3.12.4 across multiple Dockerfiles, which is a good security practice to ensure the application is running on the latest version with the latest security patches and bug fixes.

  2. Ensuring the necessary dependencies are installed, such as system-level libraries, web server configurations (Nginx), and testing-specific tools (Chrome, ChromeDriver, OpenAPI Generator), to provide a complete and consistent environment for the application.

  3. Implementing security best practices, such as running the application as a non-root user, using environment variables to manage sensitive information, and verifying the integrity of downloaded packages.

  4. Addressing deprecation warnings and improving the user interface by updating the Django form renderer configuration.

From an application security perspective, the changes appear to be focused on maintaining the security and stability of the application's deployment environment. The updates to the base Python image, dependency management, and security-related configurations are all positive steps towards ensuring the overall security posture of the application.

Files Changed:

  1. Dockerfile.django-debian: Updates the base Python image from 3.11.9 to 3.12.4, following security best practices such as using a slim-based image, installing only necessary dependencies, and running the application as a non-root user.

  2. Dockerfile.django-alpine: Similar to the changes in Dockerfile.django-debian, this file updates the base Python image and installs the necessary dependencies for the Django application, also following security best practices.

  3. Dockerfile.integration-tests-debian: Updates the base Python image and installs additional dependencies required for running integration tests with Selenium and Google Chrome, ensuring a secure and consistent testing environment.

  4. Dockerfile.nginx-alpine: Updates the base Python image and includes the configuration for the Nginx web server, including TLS/SSL settings and metrics monitoring, which should be carefully reviewed for security implications.

  5. Dockerfile.nginx-debian: Similar to the changes in Dockerfile.nginx-alpine, this file updates the base Python image and includes the Nginx web server configuration.

  6. dojo/settings/settings.dist.py: Addresses a deprecation warning related to the pkg_resources module and updates the default renderer for Django forms, improving the user interface.

Powered by DryRun Security

Copy link
Contributor

github-actions bot commented Jul 8, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the docker_python3.12 branch from 0b10ebe to aad6158 Compare July 8, 2024 17:02
@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Jul 8, 2024
@kiblik kiblik force-pushed the docker_python3.12 branch from aad6158 to 5fcbb12 Compare July 8, 2024 17:10
Copy link
Contributor

github-actions bot commented Jul 8, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link

dryrunsecurity bot commented Jul 8, 2024

DryRun Security Summary

This pull request updates various Dockerfiles and configuration files for the DefectDojo application, focusing on updating dependencies, improving build processes, and enhancing security-related settings to ensure the latest security patches are applied and secure practices are implemented.

Expand for full summary

Summary:

The code changes in this pull request cover various Dockerfiles and configuration files for the DefectDojo application, with a focus on updating dependencies, improving build processes, and enhancing security-related settings.

The key security-related changes include:

  1. Updating base image versions, such as Python and nginx, to ensure the latest security patches are applied.
  2. Installing necessary system dependencies and managing their versions to mitigate potential security vulnerabilities.
  3. Implementing secure practices, such as using dedicated user accounts, managing permissions, and caching dependencies to improve build reproducibility.
  4. Reviewing and updating security-related settings in the Django configuration file, including CSRF protection, session cookies, HTTPS redirection, authentication methods, and file upload restrictions.
  5. Ensuring the integrity of the Django configuration file by updating the checksum file.

While the changes generally appear to be focused on improving the application's security and stability, it is important to thoroughly review the actual code changes, test the application's functionality, and monitor the deployed environment for any potential security issues.

Files Changed:

  1. Dockerfile.integration-tests-debian: Updates the base Python image and installs dependencies for running integration tests, including Google Chrome and ChromeDriver. The use of hardcoded version URLs should be reviewed for potential security implications.
  2. Dockerfile.django-alpine: Updates the base Python image and installs various system dependencies for the Django-based application running on Alpine Linux. The changes focus on improving the build process and managing user/permission settings.
  3. Dockerfile.nginx-alpine: Updates the base images and dependencies for the nginx-based Docker image, including Python, Node.js, Yarn, and nginx itself. The changes also update the nginx configuration files, which should be reviewed for security best practices.
  4. Dockerfile.django-debian: Updates the base Python image and installs system dependencies for the Django-based application running on Debian. The changes focus on improving the build process and managing user/permission settings.
  5. Dockerfile.nginx-debian: Updates the base Python image used for the NGINX-Debian deployment, which may introduce changes in the language, standard library, and third-party dependencies.
  6. dojo/settings/.settings.dist.py.sha256sum: The checksum file for the Django settings file has been updated, indicating that the actual settings file has been modified. The changes to the settings file should be reviewed to ensure that no security vulnerabilities have been introduced.
  7. dojo/settings/settings.dist.py: The Django settings file has been updated with various changes, including security-related settings, authentication configurations, and Defect Dojo-specific settings. These changes should be carefully reviewed to ensure that the application's security posture is maintained.

Code Analysis

We ran 9 analyzers against 7 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@kiblik kiblik force-pushed the docker_python3.12 branch 2 times, most recently from d38b2b0 to f290717 Compare July 9, 2024 07:39
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik closed this Aug 30, 2024
@kiblik kiblik reopened this Aug 30, 2024
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
conflicts-detected docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant