Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove mysql leftover #10694

Open
wants to merge 7 commits into
base: bugfix
Choose a base branch
from

Conversation

manuel-sommer
Copy link
Contributor

No description provided.

@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Aug 7, 2024
Copy link

dryrunsecurity bot commented Aug 7, 2024

DryRun Security Summary

The pull request covers changes to various files in the DefectDojo application, focusing on improving code quality, maintainability, and performance, while also addressing potential security concerns related to SQL injection risks, sensitive data exposure, and secure configuration management.

Expand for full summary

Summary:

The code changes in this pull request cover several files related to the DefectDojo application, including utility functions, SQL aggregation, and application settings. Overall, the changes appear to be focused on improving code quality, maintainability, and performance, without introducing any obvious security vulnerabilities.

However, as an application security engineer, there are a few areas that warrant further review and consideration:

  1. SQL Injection Risks: The changes to the Sql_GroupConcat class involve dynamic SQL generation, which could potentially lead to SQL injection vulnerabilities if the input values are not properly sanitized and validated.
  2. Sensitive Data Exposure: The use of the GROUP_CONCAT function could potentially expose sensitive data, depending on the data being concatenated. It's important to ensure that the function is used in appropriate scenarios and that the output is properly handled and displayed to the user.
  3. Secure Configuration Management: The changes to the application settings file include sensitive configuration values, such as encryption keys and session/CSRF cookie settings. It's crucial to ensure that these values are properly managed and protected, and that the application's security-related settings are configured correctly.

Overall, the changes in this pull request appear to be generally positive, but it's essential to continue monitoring the application's security posture and address any potential vulnerabilities or security concerns that may arise.

Files Changed:

  1. dojo/metrics/utils.py:

    • The changes remove database-specific logic for calculating the age of findings, replacing it with a more generic approach.
    • The code has been refactored to improve readability and maintainability, and the changes should also improve performance.
    • From a security perspective, the changes do not introduce any obvious vulnerabilities, but it's important to ensure that the underlying data used to generate the metrics is properly secured and access-controlled.
  2. dojo/components/sql_group_concat.py:

    • The changes remove the as_mysql method and update the as_sql method to use a more generic approach for generating the SQL query.
    • Security considerations include ensuring that input values are properly sanitized and validated to prevent SQL injection vulnerabilities, and that the use of the GROUP_CONCAT function is limited to appropriate scenarios to avoid excessive data retrieval and potential sensitive data exposure.
  3. dojo/settings/settings.dist.py:

    • The changes remove the SILENCED_SYSTEM_CHECKS setting and update the DATA_UPLOAD_MAX_NUMBER_FIELDS setting.
    • While these changes do not directly introduce security vulnerabilities, it's important to review the CREDENTIAL_AES_256_KEY setting and ensure that the JIRA_SSL_VERIFY setting is configured correctly to prevent potential man-in-the-middle attacks.
  4. dojo/settings/template-env:

    • The changes remove the option to use a MySQL database URL, which is a positive change from a security standpoint, as it reduces the risk of SQL injection vulnerabilities.
    • The file contains several sensitive configuration values that should be carefully managed and protected, and the enabled Django admin interface should be properly secured.
    • The commented-out settings related to session and CSRF cookie security, as well as the secure content type setting, should be reviewed and properly configured to enhance the application's security.

Code Analysis

We ran 9 analyzers against 5 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 3 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

dojo/metrics/utils.py Outdated Show resolved Hide resolved
@kiblik
Copy link
Contributor

kiblik commented Aug 7, 2024

Maybe the following might be removed as well:

This might be adjusted just not sure how:

@manuel-sommer
Copy link
Contributor Author

I also don't know @kiblik

@Maffooch
Copy link
Contributor

Maffooch commented Aug 7, 2024

I was nervous to remove those things tbh. I did not have the time when this removal work occurred to fully test and ensure there were no breakages. The safe option is to leave them there, but it would be nice to get rid of these leftovers

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@mtesauro
Copy link
Contributor

mtesauro commented Aug 13, 2024

I was nervous to remove those things tbh. I did not have the time when this removal work occurred to fully test and ensure there were no breakages. The safe option is to leave them there, but it would be nice to get rid of these leftovers

I agree with going slow on these parts of the code that we're not sure about. We have deprecated MySQL and RabbitMQ but I also don't want to make changes that might actually break MySQL (vs removing GHA tests & entries in compose) until the next minor release (2.38.0 / Sept) to give people a bit more time to migrate to PostgreSQL/Redis especially as it seems removing these has a good chance of busting MySQL users.

We keep getting updates to the GH discussion on migrating to Postgres: #9480

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@manuel-sommer
Copy link
Contributor Author

I rebased this @mtesauro. I guess we can give this a go now.

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Nov 1, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Nov 1, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Nov 1, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Nov 1, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Nov 1, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mtesauro
Copy link
Contributor

mtesauro commented Nov 29, 2024

@manuel-sommer FYI: As of Feb, we'll have deprecated MySQL for 6 months so we're targeting getting this PR merged in the Feb minor release.

Thanks for keeping this alive 🚀

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Dec 2, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Dec 2, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Dec 3, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Dec 3, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

github-actions bot commented Dec 4, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

github-actions bot commented Dec 5, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions github-actions bot added conflicts-detected and removed settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR labels Dec 5, 2024
@manuel-sommer manuel-sommer reopened this Dec 5, 2024
Copy link
Contributor

github-actions bot commented Dec 5, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@github-actions github-actions bot added the settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR label Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants