feat(docker): Use Python 3.12 in docker images

[kiblik]

Next try for #10333

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
SQL Injection Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes are related to updating the base Docker images used in the deployment of a Django-based application. The key changes include:

1. Upgrading the base Python image from version 3.11.9 to 3.12.4 across multiple Dockerfiles, which is a good security practice to ensure the application is running on the latest version with the latest security patches and bug fixes.

2. Ensuring the necessary dependencies are installed, such as system-level libraries, web server configurations (Nginx), and testing-specific tools (Chrome, ChromeDriver, OpenAPI Generator), to provide a complete and consistent environment for the application.

3. Implementing security best practices, such as running the application as a non-root user, using environment variables to manage sensitive information, and verifying the integrity of downloaded packages.

4. Addressing deprecation warnings and improving the user interface by updating the Django form renderer configuration.

From an application security perspective, the changes appear to be focused on maintaining the security and stability of the application's deployment environment. The updates to the base Python image, dependency management, and security-related configurations are all positive steps towards ensuring the overall security posture of the application.

Files Changed:

1. Dockerfile.django-debian: Updates the base Python image from 3.11.9 to 3.12.4, following security best practices such as using a slim-based image, installing only necessary dependencies, and running the application as a non-root user.

2. Dockerfile.django-alpine: Similar to the changes in Dockerfile.django-debian, this file updates the base Python image and installs the necessary dependencies for the Django application, also following security best practices.

3. Dockerfile.integration-tests-debian: Updates the base Python image and installs additional dependencies required for running integration tests with Selenium and Google Chrome, ensuring a secure and consistent testing environment.

4. Dockerfile.nginx-alpine: Updates the base Python image and includes the configuration for the Nginx web server, including TLS/SSL settings and metrics monitoring, which should be carefully reviewed for security implications.

5. Dockerfile.nginx-debian: Similar to the changes in Dockerfile.nginx-alpine, this file updates the base Python image and includes the Nginx web server configuration.

6. dojo/settings/settings.dist.py: Addresses a deprecation warning related to the pkg_resources module and updates the default renderer for Django forms, improving the user interface.

Powered by DryRun Security

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

DryRun Security Summary

The pull request updates the base Docker images and configurations for the DefectDojo vulnerability management platform, focusing on Python version upgrades, dependency management, security configuration, deduplication and hashing, and file upload restrictions to maintain the security and reliability of the application.

Expand for full summary

Summary:

The code changes in this pull request are primarily focused on updating the base Docker images and configurations for the DefectDojo application, which is an open-source vulnerability management platform. The key changes include:

1. Python Version Upgrades: The base Docker images have been updated to use the latest version of Python (3.12.4) across multiple Dockerfiles, including the integration tests, Django, and Nginx-based deployments. This is a positive security-focused change, as newer Python versions often include security fixes and improvements.

2. Dependency Management: The Dockerfiles ensure that the necessary system-level dependencies and Python libraries are installed and up-to-date. This includes packages for database connectivity, XML processing, and front-end asset management.

3. Security Configuration: The code changes include updates to security-related settings, such as enabling HTTPS, setting HttpOnly and Secure flags on cookies, and configuring CSRF protection. Additionally, the application supports various authentication mechanisms, including social authentication and SAML2.

4. Deduplication and Hashing: The code includes settings for configuring the deduplication of findings, including the ability to specify custom deduplication algorithms and hashing mechanisms for different scanners.

5. File Upload Restrictions: The code includes settings for configuring the maximum size of uploaded files and the types of files that can be uploaded, which is an important security consideration for a vulnerability management platform.

Overall, the code changes in this pull request appear to be focused on maintaining the security and reliability of the DefectDojo application, with a particular emphasis on keeping the underlying components up-to-date and properly configuring the security-related features.

Files Changed:

1. Dockerfiles: The Dockerfiles for the integration tests, Django, and Nginx-based deployments have been updated to use the latest version of Python (3.12.4) and ensure that the necessary dependencies are installed.
2. dojo/settings/.settings.dist.py.sha256sum: The SHA-256 checksum for the dojo/settings/.settings.dist.py file has been updated, indicating that the configuration file has been modified.
3. dojo/settings/settings.dist.py: The configuration file for the DefectDojo application has been updated to address deprecation warnings, configure security-related settings, and manage deduplication and hashing of findings.

Code Analysis

We ran 7 analyzers against 7 files and 0 analyzers had findings. 7 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.