Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(polymorphic): Install package from git #10334

Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
Draft

fix(polymorphic): Install package from git #10334

wants to merge 1 commit into from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jun 4, 2024

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jun 4, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Configured Codepaths Analyzer 0 findings
Sensitive Files Analyzer 1 finding
AppSec Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The changes made in this pull request focus on updating the dependencies listed in the requirements.txt file for the DefectDojo application. The key changes include:

  1. Updating the django-polymorphic library from version 3.1.0 to the latest pre-release version 4.0.0a, which is being pulled directly from the GitHub repository.
  2. Updating the django-multiselectfield library, but pulling the version directly from the GitHub repository instead of using a specific version number.

From an application security perspective, these changes are generally positive as they help address known vulnerabilities and security issues by updating dependencies to their latest versions. However, there are a few points to consider:

  1. Pre-release Version: The use of a pre-release version (4.0.0a) of the django-polymorphic library may introduce potential stability or compatibility issues that should be carefully evaluated before deploying to a production environment.
  2. Pinned Versions: It's recommended to use specific version numbers for dependencies instead of relying on the latest version from a repository, as this helps ensure consistent and predictable application behavior.
  3. Outdated Libraries: The comments in the file indicate that the django-multiselectfield and django-tagging libraries are outdated, and their continued use may introduce security vulnerabilities that should be addressed.
  4. Secure Dependency Management: While the use of a requirements.txt file is a good practice, it's essential to ensure that the dependencies are obtained from trusted sources and that the integrity of the downloaded packages is verified.

Files Changed:

  • requirements.txt: The changes in this file update the django-polymorphic library from version 3.1.0 to the latest pre-release version 4.0.0a, which is being pulled directly from the GitHub repository. The django-multiselectfield library is also being updated, but the version is being pulled directly from the GitHub repository instead of a specific version number.

Powered by DryRun Security

@kiblik kiblik marked this pull request as draft June 5, 2024 12:11
@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The provided code change updates the requirements.txt file for the DefectDojo application, including a version update for the django-polymorphic dependency and a note about the deprecated django-tagging library, which demonstrates a commitment to keeping dependencies up-to-date and addressing potential security risks.

Expand for full summary

Summary:

The provided code change is an update to the requirements.txt file, which manages the dependencies of the DefectDojo application. The key change is the update of the django-polymorphic dependency from version 3.1.0 to version 4.0.0a, which is being installed directly from the GitHub repository.

From an application security perspective, the changes are generally positive, as they demonstrate a commitment to keeping dependencies up-to-date, which helps address known vulnerabilities. The majority of the dependencies have specific version numbers pinned, which is a good practice to ensure consistent and predictable application behavior. The use of a secure dependency source, such as the GitHub repository, is also a positive security practice. However, the comment regarding the deprecated django-tagging library is noteworthy, and this dependency should be carefully reviewed and removed or replaced as soon as possible to mitigate any potential security risks.

Files Changed:

  • requirements.txt: This file has been updated to include the latest version of the django-polymorphic dependency, which is now being installed directly from the GitHub repository. The majority of the other dependencies have specific version numbers pinned, which is a good security practice. The comment about the deprecated django-tagging library is also noteworthy and should be addressed.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@Maffooch
Copy link
Contributor

I did some light reading on this one. The JazzBand account is in the process of taking over the polymorphic repo, and is still waiting on pypi access to transferred. I would imagine a formal release through pypi will be coming in the next couple weeks.

I suspect there will be a handful of pypi packages we use that will block the python3.12 upgrade, so rushing on this may end up creating more churn for use in the long run. What do you think @kiblik @mtesauro ?

@kiblik
Copy link
Contributor Author

kiblik commented Aug 15, 2024

I did some light reading on this one. The JazzBand account is in the process of taking over the polymorphic repo, and is still waiting on pypi access to transferred. I would imagine a formal release through pypi will be coming in the next couple weeks.

I suspect there will be a handful of pypi packages we use that will block the python3.12 upgrade, so rushing on this may end up creating more churn for use in the long run. What do you think @kiblik @mtesauro ?

The sad part is that the ticket for the takeover has been open for a couple of weeks without any progress. pypi/support#4164 It is hard to predict, how long we will need to wait.

Plus it looks like the installation process is broken in this moment: https://github.com/DefectDojo/django-DefectDojo/actions/runs/10405827519/job/28817490858?pr=10334#step:5:1135

Plus, polymorphic is not the only blocker for upgrading to Python3.12. Upgrade of pygithub is needed as well: https://github.com/DefectDojo/django-DefectDojo/pull/10473/files#diff-767da9c92328dd092f33c455f007b9c3a936854ccab95f8130cf821d18af82d0R1749
And it is blocked by missing tests: #9948 (comment)

My conclusion: There are multiple blockers. So missing an upgrade of this one would not solve the whole situation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kiblik @Maffooch