Release: Merge release into master from: release/2.51.0#13350
Merged
Release: Merge release into master from: release/2.51.0#13350
Conversation
….0-dev Release: Merge back 2.50.0 into dev from: master-into-dev/2.50.0-2.51.0-dev
Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2025.8.1 to 2025.9.1. - [Commits](tfranzel/drf-spectacular-sidecar@2025.8.1...2025.9.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2025.9.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 45.0.6 to 45.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/45.0.7/CHANGELOG.rst) - [Commits](pyca/cryptography@45.0.6...45.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 45.0.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [django-dbbackup](https://github.com/Archmonger/django-dbbackup) from 4.3.0 to 5.0.0. - [Release notes](https://github.com/Archmonger/django-dbbackup/releases) - [Changelog](https://github.com/Archmonger/django-dbbackup/blob/master/CHANGELOG.md) - [Commits](Archmonger/django-dbbackup@4.3.0...5.0.0) --- updated-dependencies: - dependency-name: django-dbbackup dependency-version: 5.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.20 to 1.40.21. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.20...1.40.21) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.21 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…e.json) (#13085) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…13082) * msteams: Use adaptive cards format * update docs * revert webhook scan_added_empty
…/workflows/pr-labeler.yml) (#13102) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…hub/workflows/validate_docs_build.yml) (#13103) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ws/test-helm-chart.yml) (#13107) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…se-stale.yml) (#13108) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.21 to 1.40.23. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.21...1.40.23) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.23 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* test cases: fix caching of system settings * fix tests * fix caching for github * fix caching for github * simplify cache loading * post process only when needed * set tags on (re)import * rebase set tags * reduce save with options * update counts, reduce saves with options * importers: do not save again, but postprocess directly * update counts * optimize hash_code setting * fix counts * set hash code for new findings in reimport * make smaller second save work * make smaller second save work - add no_options * update query counts * improve we_want_async decorator * test performance: force async * fix async stuff in perf test * fix async stuff in perf test * fix async stuff in perf test * update counts * remove logging * perf3b: compute hash_code on first save * fix cve for reimport * ruff * fix no async * Merge remote-tracking branch 'upstream/dev' into perf3-reduce-saves
…0 (.github/workflows/release-3-master-into-dev.yml) (#13111) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…thub/workflows/pr-labeler.yml) (#13113) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.23 to 1.40.24. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.23...1.40.24) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.24 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.12.11 to 0.12.12. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.12.11...0.12.12) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.12.12 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.8.2 to 3.9. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md) - [Commits](Python-Markdown/markdown@3.8.2...3.9.0) --- updated-dependencies: - dependency-name: markdown dependency-version: '3.9' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pygithub](https://github.com/pygithub/pygithub) from 2.7.0 to 2.8.1. - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](PyGithub/PyGithub@v2.7.0...v2.8.1) --- updated-dependencies: - dependency-name: pygithub dependency-version: 2.8.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…github/workflows/release-3-master-into-dev.yml) (#13112) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* **Summary:** - Add extraInitContainers to celery+django deployments. - Add extraEnv to all deployments - Remove existing volume logic in favor of agnostic extraVolumes and extraVolumeMounts - Fix optional secret mounts + reference - Update bitnami chart reference (OCI) - Bump up redis chart * chore: add livenessProbe entries for celery * fix: reference to removed field * fix: conflict * chore: add reference to upstream chart * fix: missing default values from upstream chart used in templates * chore: rephrase * feat: allow deploy secret as regular non-hooked resources * fix: review * chore: restore Chart.lock * chore: update chart.lock * chore: wrap services url * fix: PR review suggestions * chore: mount extraVolumes in initContainers too * chore: move external db values to separate fields, add release notes * Update docs/content/en/open_source/upgrading/2.50.md Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com> * chore: bump chart version and remove bitnami dependency comment from RN * chore: move release notes to 2.51 * chore: restore 2.50.md --------- Co-authored-by: kiblik <5609770+kiblik@users.noreply.github.com>
* Ruff: Add PLW * update
….0-dev Release: Merge back 2.50.1 into dev from: master-into-dev/2.50.1-2.51.0-dev
* twistlock: defende against compliances being null * twistlock: defende against compliances being null
…13320) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Update default audit log type to django-auditlog
* upgrade notes: explain performance benefits * add two prs
…3324) * refactor: streamline vulnerability ID and endpoint retrieval in Finding model * attempt to fetch saved objects first * fix ruff * Update dojo/models.py * Update dojo/models.py
Release 2.51.0: Merge Bugfix into Dev
github-actions
Bot
added
docker
New Migration
🔴 Risk threshold exceeded.This pull request modifies multiple sensitive backend files (models, serializers, views, importers, and helpers) flagged by configured codepath checks and introduces CI workflow risks including unsanitized workflow input used as an env var (potential command injection), branch-derived interpolation into shell commands (potential command injection), use of a decoded secret in a curl command (possible secret exposure in logs), and a broad failed-logs step that may leak sensitive application data. Please review the sensitive file edits against allowed authors in .dryrunsecurity.yaml and harden the CI workflows by validating/sanitizing inputs, avoiding direct shell interpolation, protecting secret-derived variables, and limiting log dumps.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/api_v2/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/decorators.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/finding/views.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/endpoint_manager.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Potential Command Injection via Workflow Input in .github/workflows/integration-tests.yml
| Vulnerability | Potential Command Injection via Workflow Input |
|---|---|
| Description | The AUDITLOG_TYPE environment variable is set directly from a workflow input (inputs.auditlog_type) without sanitization. If this variable is used in a shell command later in the job, it could lead to command injection. The workflow_call trigger allows this input to be controlled by external sources, including potentially malicious ones (e.g., pull requests from forks). |
django-DefectDojo/.github/workflows/integration-tests.yml
Lines 16 to 19 in f3e1ffb
Potential Command Injection in GitHub Actions in .github/workflows/test-helm-chart.yml
| Vulnerability | Potential Command Injection in GitHub Actions |
|---|---|
| Description | The env.ct-branch variable is derived from github.base_ref or github.ref which can be influenced by an attacker through a crafted branch name in a pull request. This variable is then directly interpolated into a shell command without proper sanitization, allowing for potential command injection. |
django-DefectDojo/.github/workflows/test-helm-chart.yml
Lines 79 to 82 in f3e1ffb
Potential Secret Exposure in CI/CD Logs in .github/workflows/k8s-tests.yml
| Vulnerability | Potential Secret Exposure in CI/CD Logs |
|---|---|
| Description | The DD_ADMIN_PASSWORD is retrieved from a Kubernetes secret, base64 decoded, and assigned to the shell variable ADMIN_PASS. This variable is then used directly in a curl command's --data-raw argument. While GitHub Actions attempts to mask secrets, variables derived from secrets within shell scripts are not always automatically masked. If the curl command fails or if shell tracing were enabled, the password could be exposed in the CI/CD logs. |
django-DefectDojo/.github/workflows/k8s-tests.yml
Lines 163 to 166 in f3e1ffb
Information Disclosure via Broad Log Dumping in .github/workflows/k8s-tests.yml
| Vulnerability | Information Disclosure via Broad Log Dumping |
|---|---|
| Description | The new 'Failed Logs' step in the k8s-tests.yml workflow, triggered on any failure, executes kubectl logs deployment/defectdojo-django --all-pods=true --all-containers=true --tail=100. This command broadly dumps the last 100 lines of logs from all containers within the defectdojo-django deployment (e.g., uwsgi, celery components). In a CI/CD environment, these logs are typically accessible to collaborators or potentially publicly. Django applications, especially during error conditions or with verbose logging, can inadvertently log sensitive information such as stack traces (revealing file paths, internal logic, variable values), request/response data (user input, session tokens), or even environment variables (like DD_SECRET_KEY, DD_CREDENTIAL_AES_256_KEY, database URLs) if an error occurs during their processing. This broad log dumping significantly increases the risk of exposing confidential data during test failures. |
django-DefectDojo/.github/workflows/k8s-tests.yml
Lines 218 to 220 in f3e1ffb
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Maffooch
pushed a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Feb 16, 2026
Release: Merge release into master from: release/2.51.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops