Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(django): upgrade to 5.1 #10691

Closed
wants to merge 1 commit into from
Closed

feat(django): upgrade to 5.1 #10691

wants to merge 1 commit into from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Aug 6, 2024

As #10409 is merged, let's start testing Django 5.1

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 6, 2024
edited
Loading

DryRun Security Summary

The provided code change updates the requirements.txt file for the DefectDojo application, including upgrading the Django version and several other libraries, which is generally positive for application security, but requires careful review to ensure no regressions or newly introduced vulnerabilities.

Expand for full summary

Summary:

The provided code change is an update to the requirements.txt file for the DefectDojo application, a popular open-source application security management tool. The key changes include updating the Django version from 5.0.8 to 5.1, as well as updating several other libraries to newer versions. From an application security perspective, these changes are generally positive, as they indicate a commitment to keeping the application's dependencies up-to-date and secure.

However, it's important to review the changes carefully to ensure there are no regressions or newly introduced security vulnerabilities. Specifically, the Django version update should be reviewed to understand any potential security-related changes, and the third-party library versions should be checked for known security vulnerabilities using tools like pip-audit or snyk. Additionally, the use of specific versions for dependencies, rather than relying on version ranges, is a good practice for maintaining a stable and secure application. Finally, it's crucial to ensure that the DefectDojo application follows secure coding practices, such as input validation, output encoding, and proper authentication and authorization mechanisms, to mitigate common web application security vulnerabilities.

Files Changed:

  • requirements.txt: The requirements.txt file has been updated to include the following changes:
    • The Django version has been updated from 5.0.8 to 5.1.
    • Several other libraries, including djangorestframework, html2text, humanize, and django-prometheus, have been updated to newer versions.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@Maffooch
Copy link
Contributor

Maffooch commented Aug 6, 2024

@kiblik wasting no time around here 😂

@kiblik kiblik mentioned this pull request Aug 8, 2024
Closed
@kiblik
Copy link
Contributor Author

kiblik commented Aug 12, 2024

@Maffooch and @mtesauro, based on unit + integration tests and reading release notes, I haven't noticed any issue. There might be some ideas for improvements (based on new features) but there are no blockers.
I'm going to close this PR and I recommend merging the original #10721. But I would recommend having DD based on Django 5.0 running for at least one month. So if Django 5.0 will be part of DD 2.38.0, I recommend adding Django 5.1 to 2.39.0.

@kiblik kiblik closed this Aug 12, 2024
@kiblik kiblik deleted the django_5.1 branch August 12, 2024 17:17
@kiblik kiblik mentioned this pull request Oct 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kiblik @Maffooch