Bump python from 3.11.9-slim-bookworm to 3.12.5-slim-bookworm

[dependabot]

Bumps python from 3.11.9-slim-bookworm to 3.12.5-slim-bookworm.

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
python	[>= 3.9.a, < 3.10]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The pull request updates the base Docker images used for the DefectDojo application, including the Python version, dependencies, sensitive information handling, and static asset management, to maintain the security and reliability of the application.

Expand for full summary

Summary:

The code changes in this pull request focus on updating the base Docker images used for the DefectDojo application, including the integration tests, Django, and Nginx components. The key updates include:

1. Python Version Upgrade: The base Python image is updated from version 3.11.9 to 3.12.5 across multiple Dockerfiles. Upgrading the Python version is a good security practice to ensure the application is running on the latest stable version with the latest security patches.

2. Dependency Management: The Dockerfiles install various dependencies required for the application, such as database connectivity, XML security, and development tools. It is important to ensure these dependencies are kept up-to-date and their versions are pinned to known-good versions to avoid potential security vulnerabilities.

3. Sensitive Information Handling: The Dockerfiles set several environment variables, including sensitive information like admin user credentials and Celery/UWSGI configuration. It is crucial to ensure that sensitive information is not hardcoded in the Dockerfiles and is instead provided through more secure means, such as a secrets management system.

4. Least Privilege: The Dockerfiles run the application and its components as non-root users, which is a good security practice to minimize the potential impact of any vulnerabilities or attacks.

5. Static Asset Handling: The Dockerfiles handle the collection and copying of static assets, such as CSS, JavaScript, and images, to the Nginx container. Proper handling of static files is important to prevent potential security issues like unintended file exposure or directory traversal vulnerabilities.

Files Changed:

1. Dockerfile.integration-tests-debian: This Dockerfile sets up the environment for running integration tests, including installing dependencies, setting up environment variables, and running the tests.

2. Dockerfile.django-debian and Dockerfile.django-alpine: These Dockerfiles set up the environment for the Django-based application, including updating the Python version, installing dependencies, and configuring the runtime environment.

3. Dockerfile.nginx-alpine and Dockerfile.nginx-debian: These Dockerfiles set up the Nginx-based web server for the DefectDojo application, including updating the Python version, installing Node.js and Yarn, and handling static asset management.

Overall, the code changes appear to be focused on maintaining the security and reliability of the DefectDojo application by keeping the underlying dependencies and runtime environments up-to-date. However, it is important to thoroughly review the changes, especially the handling of sensitive information and the security configurations, to ensure that no new vulnerabilities are introduced.

Code Analysis

We ran 9 analyzers against 5 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[Maffooch]

Here is the error:

DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

[dependabot]

Superseded by #10915.