Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Edit defectdojo.com/pricing link #11678

Open
wants to merge 2 commits into
base: bugfix
Choose a base branch
from
Open

Edit defectdojo.com/pricing link #11678

wants to merge 2 commits into from

Conversation

paulOsinski
Copy link
Contributor

The banner URL defectdojo.com/pricing is outdated, this link should simply go to defectdojo.com instead. Thanks @valentijnscholten for noticing this!

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 27, 2025
edited
Loading

DryRun Security Summary

The code changes focus on enhancing DefectDojo's initialization process by implementing security-focused updates to the announcement banner, settings override capabilities, auditlog verification, database setup, JIRA webhook security, and fixture loading, all while maintaining robust security practices.

Expand for full summary

Summary:

The provided code changes appear to be focused on the initialization and setup of the DefectDojo application, with a strong emphasis on security-related aspects. The changes include updates to the announcement banner, the ability to override multiple settings.py files, auditlog checking, database initialization (including admin user creation), JIRA webhook secret generation, and fixtures loading.

From a security perspective, the changes seem reasonable and in line with good security practices. The code ensures that the admin user's password is not reset if it already exists, generates random and secure secrets for the JIRA webhook, and checks the consistency of the auditlog setting. Additionally, the ability to override multiple settings.py files can be a useful feature, but it's important to ensure that these override files are properly secured and do not introduce any security vulnerabilities.

Files Changed:

  • docker/entrypoint-initializer.sh: This file is responsible for the initialization and setup of the DefectDojo application. The changes include:
    • Updating the announcement banner message to include a link to the "defectdojo.com/contact" page.
    • Allowing for binding multiple settings.py override files from the "/app/docker/extra_settings/" directory.
    • Checking the status of the "ENABLE_AUDITLOG" setting and ensuring it is consistent with the environmental variable "DD_ENABLE_AUDITLOG".
    • Handling the initialization of the application's database, including making migrations, applying them, and creating the admin user.
    • Generating a random JIRA webhook secret and storing it in the "DD_JIRA_WEBHOOK_SECRET" environment variable.
    • Loading various fixtures, including system settings, initial banner configuration, product types, test types, and other related data.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 2 findings

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request modifies the entrypoint-initializer.sh script to update the announcement banner URL, implement audit logging checks, and improve admin user account handling during DefectDojo's Docker container initialization process, while maintaining security standards.

Expand for full summary

Summary:

The code changes in this pull request appear to be focused on updates to the entrypoint-initializer.sh script, which is responsible for initializing and configuring the DefectDojo application during the Docker container startup process. The key changes include an update to the announcement banner URL, checks for the status of the audit logging functionality, and the handling of the admin user account.

From an application security perspective, these changes do not introduce any significant security concerns. The announcement banner update is a minor change to the public-facing content, and the audit log and admin user checks are positive security measures that help maintain the application's security posture. The script is using standard and secure methods to interact with the application's data, such as the Django shell script for updating the Announcement model.

Overall, this code change seems to be a routine update to the application's initialization and configuration process, with a focus on ensuring proper audit logging and admin user handling during the initial setup.

Files Changed:

  • docker/entrypoint-initializer.sh: This script is responsible for initializing and configuring the DefectDojo application during the Docker container startup process. The key changes in this pull request include:
    1. Announcement Banner Update: The code changes the URL in the announcement banner from https://www.defectdojo.com/pricing to https://www.defectdojo.com/.
    2. Auditlog Checks: The script checks the status of the ENABLE_AUDITLOG setting in the system settings and exits with an error code if the auditlog has been disabled in the past.
    3. Admin User Handling: The script checks if the admin user already exists in the database and, if not, creates a new admin user with a randomly generated password.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The pull request modifies the entrypoint-initializer.sh script to update the announcement banner URL, implement audit logging checks, and improve admin user handling during DefectDojo's Docker container initialization process, while maintaining security standards.

Expand for full summary

Summary:

The code changes in this pull request appear to be focused on updates to the entrypoint-initializer.sh script, which is responsible for initializing and configuring the DefectDojo application during the Docker container startup process. The key changes include an update to the announcement banner URL, checks for the status of the audit logging functionality, and the handling of the admin user account.

From an application security perspective, these changes do not introduce any significant security concerns. The announcement banner update is a minor change to the public-facing content, and the audit log and admin user checks are positive security measures that help maintain the application's security posture. The script is using standard and secure methods to interact with the application's data, such as the Django shell script for updating the Announcement model.

Overall, this code change seems to be a routine update to the application's initialization and configuration process, with a focus on ensuring proper audit logging and admin user handling during the initial setup.

Files Changed:

  • docker/entrypoint-initializer.sh: This script is responsible for initializing and configuring the DefectDojo application during the Docker container startup process. The key changes in this pull request include:
    1. Announcement Banner Update: The code changes the URL in the announcement banner from https://www.defectdojo.com/pricing to https://www.defectdojo.com/.
    2. Auditlog Checks: The script checks the status of the ENABLE_AUDITLOG setting in the system settings and exits with an error code if the auditlog has been disabled in the past.
    3. Admin User Handling: The script checks if the admin user already exists in the database and, if not, creates a new admin user with a randomly generated password.

Code Analysis

We ran 9 analyzers against 1 file and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Configured Codepaths Analyzer 1 finding

Overall Riskiness

🔴 Risk threshold exceeded.

We've notified @mtesauro, @grendel513.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Jan 28, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@mtesauro mtesauro mtesauro approved these changes

@grendel513 grendel513 grendel513 approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@paulOsinski @grendel513 @mtesauro @blakeaowens