Release: Merge release into master from: release/2.53.0#13802
Merged
Release: Merge release into master from: release/2.53.0#13802
Conversation
….0-dev Release: Merge back 2.52.0 into dev from: master-into-dev/2.52.0-2.53.0-dev
…v41.168.6 (.github/workflows/renovate.yaml) (#13584) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….19.0 (docker-compose.override.dev.yml) (#13585) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…v41.169.2 (.github/workflows/renovate.yaml) (#13594) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [drf-spectacular](https://github.com/tfranzel/drf-spectacular) from 0.28.0 to 0.29.0. - [Release notes](https://github.com/tfranzel/drf-spectacular/releases) - [Changelog](https://github.com/tfranzel/drf-spectacular/blob/master/CHANGELOG.rst) - [Commits](tfranzel/drf-spectacular@0.28.0...0.29.0) --- updated-dependencies: - dependency-name: drf-spectacular dependency-version: 0.29.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps openapitools/openapi-generator-cli from v7.16.0 to v7.17.0. --- updated-dependencies: - dependency-name: openapitools/openapi-generator-cli dependency-version: v7.17.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…13598) Bumps nginx from 1.29.2-alpine3.22 to 1.29.3-alpine3.22. --- updated-dependencies: - dependency-name: nginx dependency-version: 1.29.3-alpine3.22 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.9 to 3.10. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md) - [Commits](Python-Markdown/markdown@3.9.0...3.10.0) --- updated-dependencies: - dependency-name: markdown dependency-version: '3.10' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.63 to 1.40.65. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.63...1.40.65) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.65 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…v41.169.4 (.github/workflows/renovate.yaml) (#13607) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…v1.34.1 (.github/workflows/k8s-tests.yml) (#13603) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…age.json) (#13604) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…v41.170.0 (.github/workflows/renovate.yaml) (#13615) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* 🎉 Advance reimport to update fix_available field #12633 * docs * update * Update using_reimport.md * implement a fixed version * rebase fix * Update dojo/models.py Co-authored-by: valentijnscholten <valentijnscholten@gmail.com> * Update default_reimporter.py * add unittests and grype * update * add unittests * ruff * update * sync migration * rebase * update according to comment * update according to rebase * update * update * Clarify reimport behavior for findings update Reimport will update existing findings 'fix_available' and 'fix_version' fields based on the incoming scan report. * update --------- Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
* Made file changes to test in dojo pro * Changed logic so that individual findings are pushed to jira only after the groups association is confirmed * Apply suggestion from @Maffooch * Rerecord tests --------- Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
…2.8.0 (.github/workflows/test-helm-chart.yml) (#13629) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.65 to 1.40.66. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.65...1.40.66) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.66 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…ge.json) (#13625) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…v41.173.0 (.github/workflows/renovate.yaml) (#13622) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…/package.json) (#13617) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…s/package.json) (#13616) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
… when redirecting after login using social auth. (#13614) * Adding SOCIAL_AUTH_REDIRECT_IS_HTTPS, to enable use of HTTPS protocol when redirecting after login. * Adding description about how to setup SOCIAL_AUTH_REDIRECT_IS_HTTPS when using helm to docs (docs/content/en/customize_dojo/user_management/configure_sso.md). * Adding description about how to setup SOCIAL_AUTH_REDIRECT_IS_HTTPS when using helm to docs (docs/content/en/customize_dojo/user_management/configure_sso.md). * Apply suggestion from @valentijnscholten --------- Co-authored-by: Marcel Horner <marcel.horner@stefanini.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
…v42 (.github/workflows/renovate.yaml) (#13638) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.14.3 to 0.14.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.14.3...0.14.4) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.14.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.40.66 to 1.40.68. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.40.66...1.40.68) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.40.68 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…e.json) (#13641) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [asteval](https://github.com/lmfit/asteval) from 1.0.6 to 1.0.7. - [Release notes](https://github.com/lmfit/asteval/releases) - [Commits](lmfit/asteval@1.0.6...1.0.7) --- updated-dependencies: - dependency-name: asteval dependency-version: 1.0.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* feat(helm): Use Valkey Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com> * apply changes from @fernandezcuesta Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com> * adjustments Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com> --------- Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…13781) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.41.4 to 1.41.5. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.41.4...1.41.5) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.41.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: kiblik <5609770+kiblik@users.noreply.github.com>
Remove unnecessary error logging for finding group status.
…hub/workflows/renovate.yaml) (#13788) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
JIRA: add retry/rate limit support
fix: enable uwsgi DD_UWSGI_EXTRA_ARGS passthrough
Remove left over log statement
Release 2.53.0: Merge Bugfix into Dev
github-actions
Bot
requested review from
Maffooch and
mtesauro
as code owners
🔴 Risk threshold exceeded.This pull request modifies several sensitive codepaths (models, migrations, importers, templates, and Jira helper) and flags them for review, leaves a GitHub Actions Node.js version without an update strategy, and includes two command injection risks: one in test-helm-chart.yml due to incomplete PR-title sanitization and another in docker/entrypoint-uwsgi.sh from unsafely expanding DD_UWSGI_EXTRA_ARGS. Please review the sensitive file changes and fix the workflow/script sanitization and dependency update strategy.
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/importers/default_reimporter.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/templates/dojo/view_finding.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
🔴 Configured Codepaths Edit in dojo/jira_link/helper.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
Outdated Dependency with No Clear Update Strategy in .github/workflows/validate_docs_build.yml
| Vulnerability | Outdated Dependency with No Clear Update Strategy |
|---|---|
| Description | The Node.js version '24.11.1' specified in the GitHub Actions workflow is not configured for automated updates by Renovate. While no immediate vulnerabilities were found for this specific version, the absence of an update strategy means the dependency is at risk of becoming outdated and potentially vulnerable in the future if not manually maintained. The TODO comment in the code confirms the lack of a tested automated update mechanism. |
django-DefectDojo/.github/workflows/validate_docs_build.yml
Lines 12 to 24 in d3d64db
Command Injection via Pull Request Title in .github/workflows/test-helm-chart.yml
| Vulnerability | Command Injection via Pull Request Title |
|---|---|
| Description | The GitHub Actions workflow test-helm-chart.yml attempts to sanitize the pull request title before embedding it into a yq command. However, the sanitization denylist is incomplete and does not cover critical shell metacharacters such as $ (for variable expansion or command substitution), ( and ) (for command substitution), backticks (` for command substitution), or semicolons (; for command separation). An attacker can craft a pull request title containing these unescaped characters to execute arbitrary commands on the GitHub Actions runner. |
django-DefectDojo/.github/workflows/test-helm-chart.yml
Lines 122 to 125 in d3d64db
Command Injection via Environment Variable in docker/entrypoint-uwsgi.sh
| Vulnerability | Command Injection via Environment Variable |
|---|---|
| Description | The entrypoint-uwsgi.sh script directly expands the $DD_UWSGI_EXTRA_ARGS environment variable into the uwsgi command line without proper quoting or sanitization. This allows an attacker who can control this environment variable to inject arbitrary command-line arguments into the uwsgi process. Such injection can lead to arbitrary code execution, denial of service, or other security issues, depending on the injected options and the privileges of the uwsgi process. |
django-DefectDojo/docker/entrypoint-uwsgi.sh
Lines 42 to 46 in d3d64db
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
github-actions
Bot
added
docker
New Migration
Maffooch
pushed a commit
to valentijnscholten/django-DefectDojo
that referenced
this pull request
Feb 16, 2026
Release: Merge release into master from: release/2.53.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
14 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops