Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Direct Renovate to ignore MySQL and RabbitMQ packages #10511

Closed
wants to merge 23 commits into from

Conversation

cneill
Copy link
Contributor

@cneill cneill commented Jul 3, 2024

Description

Since we have deprecated MySQL and RabbitMQ as of v2.36.0, this PR will remove them from the list of packages for which Renovate will open PRs for every version bump (as seen with e.g. #10502 #10510). This is part of our gradual removal of these packages now that they are no longer supported.

This PR should be reverted once these packages are totally removed.

Test results

N/A

Documentation

N/A

DefectDojo release bot and others added 23 commits July 1, 2024 15:39
Signed-off-by: DefectDojo <[email protected]>
….36.0-2.37.0-dev

Release: Merge back 2.36.0 into dev from: master-into-dev/2.36.0-2.37.0-dev
…rt.yaml) (DefectDojo#10461)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [python-gitlab](https://github.com/python-gitlab/python-gitlab) from 4.6.0 to 4.7.0.
- [Release notes](https://github.com/python-gitlab/python-gitlab/releases)
- [Changelog](https://github.com/python-gitlab/python-gitlab/blob/main/CHANGELOG.md)
- [Commits](python-gitlab/python-gitlab@v4.6.0...v4.7.0)

---
updated-dependencies:
- dependency-name: python-gitlab
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…efectDojo#10466)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.34.135 to 1.34.136.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.34.135...1.34.136)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [django-test-migrations](https://github.com/wemake-services/django-test-migrations) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/wemake-services/django-test-migrations/releases)
- [Changelog](https://github.com/wemake-services/django-test-migrations/blob/master/CHANGELOG.md)
- [Commits](wemake-services/django-test-migrations@1.3.0...1.4.0)

---
updated-dependencies:
- dependency-name: django-test-migrations
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [openpyxl](https://openpyxl.readthedocs.io) from 3.1.4 to 3.1.5.

---
updated-dependencies:
- dependency-name: openpyxl
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…efectDojo#10476)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [pillow](https://github.com/python-pillow/Pillow) from 10.3.0 to 10.4.0.
- [Release notes](https://github.com/python-pillow/Pillow/releases)
- [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst)
- [Commits](python-pillow/Pillow@10.3.0...10.4.0)

---
updated-dependencies:
- dependency-name: pillow
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
)

Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2024.6.1 to 2024.7.1.
- [Commits](tfranzel/drf-spectacular-sidecar@2024.6.1...2024.7.1)

---
updated-dependencies:
- dependency-name: drf-spectacular-sidecar
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [asteval](https://github.com/lmfit/asteval) from 0.9.33 to 1.0.0.
- [Release notes](https://github.com/lmfit/asteval/releases)
- [Commits](lmfit/asteval@0.9.33...1.0.0)

---
updated-dependencies:
- dependency-name: asteval
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.34.136 to 1.34.137.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.34.136...1.34.137)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Ruff: add Q001

* Ruff: fix Q001

* Ruff: add Q002

* Ruff: fix Q002

* Ruff: add Q003

* Ruff: fix Q003

* Ruff: add Q004

* Ruff: fix Q004
* add prowler v4 parser

* remove line

* fix typo

* add settings.dist.py although it's written that one should not touch it but use env vars

* add modified .settings.dist.py.sha256sum

* extend prowler v3 parser to parse also prowler v4 reports in oscf-json format

* update aws_prowler_v3.md

* revert settings

* add modified .settings.dist.py.sha256sum

* revert docker-compose.yml

* make ruff happy

* separate prowler v3 and v4 parsers

* renaming

* add prowler v4 parser

* remove line

* fix typo

* add settings.dist.py although it's written that one should not touch it but use env vars

* add modified .settings.dist.py.sha256sum

* extend prowler v3 parser to parse also prowler v4 reports in oscf-json format

* update aws_prowler_v3.md

* revert settings

* add modified .settings.dist.py.sha256sum

* make ruff happy

* separate prowler v3 and v4 parsers

* renaming

* Update helm lock file

Signed-off-by: DefectDojo <[email protected]>

* make ruff happy

---------

Signed-off-by: DefectDojo <[email protected]>
Co-authored-by: DefectDojo <[email protected]>
Bumps [boto3](https://github.com/boto/boto3) from 1.34.137 to 1.34.138.
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](boto/boto3@1.34.137...1.34.138)

---
updated-dependencies:
- dependency-name: boto3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Copy link

dryrunsecurity bot commented Jul 3, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
Server-Side Request Forgery Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code change is related to the configuration of the Renovate bot, which is a tool used for automatically managing dependencies in software projects. The changes made in this pull request include ignoring specific dependencies, such as mysql and rabbitmq, as well as expanding the list of file paths that should be ignored by the Renovate bot.

From an application security perspective, the changes in this pull request do not appear to introduce any obvious security concerns. However, it's important to carefully consider the decision to ignore specific dependencies or file paths, as it could potentially lead to security vulnerabilities if important updates are missed. The ignored dependencies, mysql and rabbitmq, are common software components, and it's essential to ensure that they are kept up-to-date and secure. Additionally, the Dockerfile** pattern in the ignorePaths section could potentially hide changes to Docker-related files, which could be relevant from a security perspective.

Files Changed:

  • .github/renovate.json: This file contains the configuration for the Renovate bot. The changes made in this pull request include:
    1. Adding mysql and rabbitmq to the ignoreDeps section, which means that updates to these dependencies will not be automatically proposed by the Renovate bot.
    2. Expanding the ignorePaths section to include additional file paths, such as requirements.txt, various package.json and yarn.lock files, and any Dockerfile files.

Powered by DryRun Security

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@cneill cneill changed the base branch from dev to bugfix July 3, 2024 20:55
@github-actions github-actions bot added docker settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs labels Jul 3, 2024
@cneill
Copy link
Contributor Author

cneill commented Jul 3, 2024

Closing to change the base branch...

@cneill cneill closed this Jul 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
apiv2 docker docs helm integration_tests parser settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR ui unittests
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants