Release: Merge back 2.51.2 into dev from: master-into-dev/2.51.2-2.52.0-dev

[github-actions]

Release triggered by rossops

[dryrunsecurity]

🔴 Risk threshold exceeded.

This pull request modifies multiple sensitive files across the codebase (models, views, serializers, templates, metrics, filters, and helpers) which the scanner flagged as sensitive edits, and also includes CI/workflow risks: a pinned Kubernetes version in k8s-tests.yml that may become outdated and a detect-merge-conflicts workflow using pull_request_target with a third-party action (and continue-on-error) that could enable privilege escalation.

🔴 Configured Codepaths Edit in dojo/metrics/utils.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/metrics/views.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/api_v2/serializers.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/api_v2/views.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/filters.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/finding/helper.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/metrics/utils.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/metrics/views.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/models.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/findings_list_snippet.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/report_builder.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/templates/dojo/view_test.html

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

Potential for Outdated Kubernetes Version in CI/CD Pipeline in .github/workflows/k8s-tests.yml

Vulnerability

Potential for Outdated Kubernetes Version in CI/CD Pipeline

Description

The CI/CD pipeline's k8s-tests.yml workflow explicitly opts out of automated dependency updates for Kubernetes version v1.31.13 with the comment # Do not track with renovate as we likely want to rev this manually. While no immediate, critical vulnerabilities were found for this specific Kubernetes version, the manual management approach introduces a significant risk that future security patches or updates will be missed. Without an enforced manual update process, the pipeline could continue to test against an increasingly outdated and potentially vulnerable Kubernetes version, leading to a false sense of security for the application being tested.

django-DefectDojo/.github/workflows/k8s-tests.yml

Lines 16 to 24 in a1aa663

	# databases, broker and k8s are independent, so we don't need to test each combination
	# lastest k8s version (https://kubernetes.io/releases/) and the oldest officially supported version
	# are tested (https://kubernetes.io/releases/)
	- k8s: 'v1.34.1' # renovate: datasource=github-releases depName=kubernetes/kubernetes versioning=loose
	os: debian
	- k8s: 'v1.31.13' # Do not track with renovate as we likely want to rev this manually
	os: debian
	steps:
	- name: Checkout

Privilege Escalation via `pull_request_target` in .github/workflows/detect-merge-conflicts.yaml

Vulnerability

Privilege Escalation via pull_request_target

Description

The workflow detect-merge-conflicts.yaml uses pull_request_target which grants write permissions to the GITHUB_TOKEN in the base repository. A third-party action, eps1lon/actions-label-merge-conflict, is executed with continue-on-error: true. If this action has a vulnerability that can be exploited by malicious pull request content, an attacker could achieve arbitrary code execution with elevated privileges, and the continue-on-error flag could mask the attack.

django-DefectDojo/.github/workflows/detect-merge-conflicts.yaml

Lines 11 to 13 in a1aa663

	pull_request_target:
	types: [synchronize]

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.