feat(django): Upgrade to 5.0

[kiblik]

We released 4.2 so we can start migration to 5.0

Needs to be considered: https://docs.djangoproject.com/en/5.0/releases/5.0

Needs to be fixed (to be able to upgrade)

• fix(multiselectfield): Use original repo #10420

Post upgrade improvements (new useful features):

• choices: From list of tuples to dict https://docs.djangoproject.com/en/5.0/releases/5.0/#more-options-for-declaring-field-choices

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Server-Side Request Forgery Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
IDOR Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request primarily focus on updating the dependencies and configurations for the DefectDojo application. The key changes include:

1. Updating the Django version from 4.2.13 to 5.0.6, which is a significant version jump and requires careful review of the release notes and changelogs to understand any potential security-related changes or improvements.
2. Updating the django-multiselectfield library to the latest stable version, which is a positive change to benefit from bug fixes and security improvements.
3. Replacing the outdated django-tagging library with a direct reference to the newer django-tagging repository on GitHub, indicating a move towards a more secure solution.
4. Adding new dependencies, such as drf-spectacular, django-ratelimit, and argon2-cffi, which should be reviewed to ensure they are legitimate and necessary for the application, and that they do not introduce any known security vulnerabilities.
5. Adding Celery-related dependencies, which suggests the application is using asynchronous task processing. This functionality should be reviewed for any potential security implications, such as ensuring that tasks are properly validated and authorized.
6. Including the cryptography library, which indicates that the application is handling sensitive data and utilizing cryptographic functions. The specific use cases and implementation details should be reviewed to ensure that the cryptography is being used correctly and securely.

Files Changed:

1. dojo/settings/settings.dist.py: This file is the default settings file for the DefectDojo application. The change sets the FORMS_URLFIELD_ASSUME_HTTPS setting to True to address a warning related to the default scheme for URLField in Django 6.0. This change does not directly impact the security of the application but is a good practice to keep the application's dependencies and configurations up-to-date.
2. dojo/settings/.settings.dist.py.sha256sum: This file is a checksum file for the settings.dist.py configuration file. The change updates the checksum value, indicating that the settings.dist.py file has been modified. Verifying the integrity of configuration files through checksum validation is a good security practice.
3. requirements.txt: This file contains the list of dependencies for the DefectDojo application. The changes include updating the Django version, replacing the django-tagging library, adding new dependencies, and including Celery-related and cryptography-related dependencies. These changes should be reviewed carefully to ensure they do not introduce any security vulnerabilities.

Powered by DryRun Security

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on maintaining a secure and up-to-date set of dependencies for the DefectDojo project, including upgrading Django, removing outdated libraries, updating configuration file hashes, and addressing Django 6.0 warnings, all aimed at improving the security and stability of the application.

Expand for full summary

Summary:

The code changes in this pull request are focused on maintaining a secure and up-to-date set of dependencies for the DefectDojo project. The key changes include:

1. Upgrading the Django version from 4.2.14 to 5.0.7, which helps address any known security vulnerabilities in the previous version.
2. Removing the outdated django-multiselectfield library version 0.1.12, which is a good practice to eliminate the use of potentially vulnerable or unsupported dependencies.
3. Updating the SHA-256 hash value for the dojo/settings/.settings.dist.py configuration file, which is a routine change to maintain the integrity of the configuration file.
4. Addressing warnings related to the URLField in Django 6.0 by setting the FORMS_URLFIELD_ASSUME_HTTPS setting to True, which is a temporary measure until the setting is removed in the future.

Overall, these changes appear to be focused on improving the security and stability of the DefectDojo application as it prepares for future versions of Django.

Files Changed:

1. requirements.txt: The outdated django-multiselectfield library has been updated from version 0.1.12 to 0.1.13, and the Django version has been upgraded from 4.2.14 to 5.0.7. These changes help maintain a secure and up-to-date set of dependencies for the project.

2. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 hash value for the dojo/settings/.settings.dist.py configuration file has been updated, indicating that the corresponding configuration file has been modified. This is a routine change to maintain the integrity of the configuration file.

3. dojo/settings/settings.dist.py: The changes in this file are focused on addressing warnings related to the URLField in Django 6.0 by setting the FORMS_URLFIELD_ASSUME_HTTPS setting to True. This is a temporary measure until the setting is removed in the future. The changes also include various security-related settings to improve the overall security of the application.

Code Analysis

We ran 9 analyzers against 3 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Sensitive Files Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[mtesauro]

Hold on merging this until after the 2.37.0 (August) minor release

So, nothing really to do here - just a note to my future self.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.