Release: Merge back 2.58.0 into bugfix from: master-into-bugfix/2.58.0-2.59.0-dev#14804
Merged
Release: Merge back 2.58.0 into bugfix from: master-into-bugfix/2.58.0-2.59.0-dev#14804
Conversation
….0-dev Release: Merge back 2.57.0 into dev from: master-into-dev/2.57.0-2.58.0-dev
…ents-dev.txt) (#14654) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…github/workflows/renovate.yaml) (#14637) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ckerfile.integration-tests-debian) (#14652) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…lpine (docker-compose.yml) (#14653) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…flows/release-x-manual-tag-as-latest.yml) (#14655) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [sqlalchemy](https://github.com/sqlalchemy/sqlalchemy) from 2.0.48 to 2.0.49. - [Release notes](https://github.com/sqlalchemy/sqlalchemy/releases) - [Changelog](https://github.com/sqlalchemy/sqlalchemy/blob/main/CHANGES.rst) - [Commits](https://github.com/sqlalchemy/sqlalchemy/commits) --- updated-dependencies: - dependency-name: sqlalchemy dependency-version: 2.0.49 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…14658) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2026.3.1 to 2026.4.1. - [Commits](tfranzel/drf-spectacular-sidecar@2026.3.1...2026.4.1) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2026.4.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pillow](https://github.com/python-pillow/Pillow) from 12.1.1 to 12.2.0. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@12.1.1...12.2.0) --- updated-dependencies: - dependency-name: pillow dependency-version: 12.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…lpine) (#14669) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
….0-dev Release: Merge back 2.57.1 into dev from: master-into-dev/2.57.1-2.58.0-dev
…github/workflows/renovate.yaml) (#14674) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: valentijnscholten <valentijnscholten@gmail.com>
…kerfile.nginx-alpine) (#14683) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ckerfile.integration-tests-debian) (#14684) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…validate_docs_build.yml) (#14685) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…workflows/release-x-manual-docker-containers.yml) (#14686) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…14688) Bumps [drf-spectacular-sidecar](https://github.com/tfranzel/drf-spectacular-sidecar) from 2026.4.1 to 2026.4.14. - [Commits](tfranzel/drf-spectacular-sidecar@2026.4.1...2026.4.14) --- updated-dependencies: - dependency-name: drf-spectacular-sidecar dependency-version: 2026.4.14 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pygithub](https://github.com/pygithub/pygithub) from 2.9.0 to 2.9.1. - [Release notes](https://github.com/pygithub/pygithub/releases) - [Changelog](https://github.com/PyGithub/PyGithub/blob/main/doc/changes.rst) - [Commits](PyGithub/PyGithub@v2.9.0...v2.9.1) --- updated-dependencies: - dependency-name: pygithub dependency-version: 2.9.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.15.9 to 0.15.10. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.15.9...0.15.10) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.15.10 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….github/workflows/update-sample-data.yml) (#14691) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…hub/workflows/release-x-manual-helm-chart.yml) (#14693) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [django-dbbackup](https://github.com/Archmonger/django-dbbackup) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/Archmonger/django-dbbackup/releases) - [Changelog](https://github.com/Archmonger/django-dbbackup/blob/master/CHANGELOG.md) - [Commits](Archmonger/django-dbbackup@5.2.0...5.3.0) --- updated-dependencies: - dependency-name: django-dbbackup dependency-version: 5.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…/workflows/release-x-manual-docker-containers.yml) (#14695) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…t.yaml) (#14696) * Update valkey Docker tag from 0.18.0 to v0.19.0 (helm/defectdojo/Chart.yaml) * update Helm documentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Bumps [lxml](https://github.com/lxml/lxml) from 6.0.2 to 6.0.4. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-6.0.2...lxml-6.0.4) --- updated-dependencies: - dependency-name: lxml dependency-version: 6.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….github/workflows/release-drafter.yml) (#14699) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…ows/release-3-master-into-dev.yml) (#14700) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Cody Maffucci <46459665+Maffooch@users.noreply.github.com>
fix(sonarqube): mdDesc fallback
…outside-scope-delete async delete: remove obsolete outside scope delete
perf test: cover unsaved tags and vulnerability_ids
* security: remove pickle from forms and Celery serializer Pickle deserialization on attacker-controllable bytes is arbitrary code execution. Two sites used pickle: - The survey choice-question form pickled/unpickled a list of strings through MultiExampleField.compress / MultiWidgetBasic.decompress and pickle.loads in survey/views.py. Switched to json — the data is just a list of up to 6 strings. - Celery defaulted to the pickle serializer with CELERY_ACCEPT_CONTENT including pickle/yaml/msgpack so dispatch sites could pass Django model instances and a Dojo_User on the wire. Made every task argument JSON-serializable: async_delete_task takes (model_label, pk) and refetches; SLA recompute takes (sla_config_id, product_ids); per-channel notification sends run inline inside the surrounding async_create_notification task instead of dispatching an inner Celery task with model instances; user context is injected as async_user_id and resolved in the worker. Flipped DD_CELERY_TASK_SERIALIZER default to json, tightened CELERY_ACCEPT_CONTENT to ["json"], and added CELERY_RESULT_SERIALIZER = "json". Added unittests/test_no_pickle.py as a regression net (asserts no pickle imports in dojo/ and that the Celery serializer settings stay JSON-only) and unittests/test_survey_forms.py for the widget round-trip. Operator note: workers running this version reject in-flight pickled messages with ContentDisallowed. Drain the broker (\`celery -A dojo purge -f\`) or scale workers to zero before deploy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test: update importer perf-test query counts after pickle removal The async_user_id user resolution and refetch in async_delete_task / SLA recompute add 1-6 queries per scenario; CI auto-generated the new expected counts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(sla): reset in-memory async_updating after dispatch Before the pickle removal, the SLA recompute task received the SLA_Configuration / Product instances by reference (Celery's sync .apply() does not serialize). The inner update function set async_updating=False on those shared instances, so the dispatcher's local self.async_updating ended up False as well. After switching the dispatch to pass IDs and refetch in the task, the inner function only resets async_updating on its refetched copies. The dispatcher's in-memory self.async_updating stayed True, so a subsequent save() on the same instance triggered the lock-revert path at SLA_Configuration.save() line 1058 and overwrote the caller's field changes (e.g. enforce_critical) with the DB values. Manifested as test_sla_expiration_date_after_sla_not_enforced failing: sla_config.enforce_critical=False was reverted to True on save. Reset async_updating on the in-memory caller instances after dispatch returns to keep them consistent with the post-task DB state. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Adding try/except to channels --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Ross Esposito <rossespo@gmail.com>
Release 2.58.0: Merge Bugfix into Dev
Release: Merge release into master from: release/2.58.0
|
This pull request includes a sensitive edit to
🔴 Configured Codepaths Edit in
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
We've notified @mtesauro.
Comment to provide feedback on these findings.
Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]
Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing
All finding details can be found in the DryRun Security Dashboard.
github-actions
Bot
added
docker
New Migration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops