Release: Merge release into master from: release/2.46.0 #12386
Merged
+29,620
−20,652
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
….0-dev Release: Merge back 2.45.0 into dev from: master-into-dev/2.45.0-2.46.0-dev
Bumps [boto3](https://github.com/boto/boto3) from 1.37.27 to 1.37.28. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.37.27...1.37.28) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.37.28 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [lxml](https://github.com/lxml/lxml) from 5.3.1 to 5.3.2. - [Release notes](https://github.com/lxml/lxml/releases) - [Changelog](https://github.com/lxml/lxml/blob/master/CHANGES.txt) - [Commits](lxml/lxml@lxml-5.3.1...lxml-5.3.2) --- updated-dependencies: - dependency-name: lxml dependency-version: 5.3.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.11.3 to 0.11.4. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.11.3...0.11.4) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.37.28 to 1.37.29. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.37.28...1.37.29) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.37.29 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [django-extensions](https://github.com/django-extensions/django-extensions) from 3.2.3 to 4.0. - [Release notes](https://github.com/django-extensions/django-extensions/releases) - [Changelog](https://github.com/django-extensions/django-extensions/blob/main/CHANGELOG.md) - [Commits](django-extensions/django-extensions@3.2.3...4.0) --- updated-dependencies: - dependency-name: django-extensions dependency-version: '4.0' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [celery](https://github.com/celery/celery) from 5.4.0 to 5.5.1. - [Release notes](https://github.com/celery/celery/releases) - [Changelog](https://github.com/celery/celery/blob/main/Changelog.rst) - [Commits](celery/celery@v5.4.0...v5.5.1) --- updated-dependencies: - dependency-name: celery dependency-version: 5.5.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.37.29 to 1.37.30. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.37.29...1.37.30) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.37.30 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.37.30 to 1.37.31. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.37.30...1.37.31) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.37.31 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [django-celery-results](https://github.com/celery/django-celery-results) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/celery/django-celery-results/releases) - [Changelog](https://github.com/celery/django-celery-results/blob/main/Changelog) - [Commits](celery/django-celery-results@v2.5.1...v2.6.0) --- updated-dependencies: - dependency-name: django-celery-results dependency-version: 2.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* fix * fix * Update ruff.toml --------- Co-authored-by: Cody Maffucci <[email protected]>
* sla_config_updater: add logging * sla_config: use mass update on changes * sla_config: use mass update on changes * sla_config: use mass update on changes * sla_config: use mass update on changes * sla_config: use mass update on changes * sla_config: use mass update on changes * sla_config: use mass update on changes * sla_config: use mass update on changes * cleanup
* Import/Reimport Stats: Change name of left untouched * Update migrations * Failed spell check * Update migration again * Migrate from `left_untouched` to `untouched`
Bumps [boto3](https://github.com/boto/boto3) from 1.37.31 to 1.37.32. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.37.31...1.37.32) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.37.32 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [django-extensions](https://github.com/django-extensions/django-extensions) from 4.0 to 4.1. - [Release notes](https://github.com/django-extensions/django-extensions/releases) - [Changelog](https://github.com/django-extensions/django-extensions/blob/main/CHANGELOG.md) - [Commits](django-extensions/django-extensions@4.0...4.1) --- updated-dependencies: - dependency-name: django-extensions dependency-version: '4.1' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [uwsgi](https://uwsgi-docs.readthedocs.io/en/latest/) from 2.0.28 to 2.0.29. --- updated-dependencies: - dependency-name: uwsgi dependency-version: 2.0.29 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [boto3](https://github.com/boto/boto3) from 1.37.32 to 1.37.33. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.37.32...1.37.33) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.37.33 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [markdown](https://github.com/Python-Markdown/markdown) from 3.7 to 3.8. - [Release notes](https://github.com/Python-Markdown/markdown/releases) - [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md) - [Commits](Python-Markdown/markdown@3.7...3.8) --- updated-dependencies: - dependency-name: markdown dependency-version: '3.8' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….github/workflows/validate_docs_build.yml) (#12229) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Bumps [django-crispy-forms](https://github.com/django-crispy-forms/django-crispy-forms) from 2.3 to 2.4. - [Release notes](https://github.com/django-crispy-forms/django-crispy-forms/releases) - [Changelog](https://github.com/django-crispy-forms/django-crispy-forms/blob/main/CHANGELOG.md) - [Commits](django-crispy-forms/django-crispy-forms@2.3...2.4) --- updated-dependencies: - dependency-name: django-crispy-forms dependency-version: '2.4' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pillow](https://github.com/python-pillow/Pillow) from 11.1.0 to 11.2.1. - [Release notes](https://github.com/python-pillow/Pillow/releases) - [Changelog](https://github.com/python-pillow/Pillow/blob/main/CHANGES.rst) - [Commits](python-pillow/Pillow@11.1.0...11.2.1) --- updated-dependencies: - dependency-name: pillow dependency-version: 11.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
….0-dev Release: Merge back 2.45.1 into dev from: master-into-dev/2.45.1-2.46.0-dev
* view_endpoint fix error * ui tests: add view_endpoint test * ui tests: add view_endpoint test * ui tests: add view_endpoint test * ui tests: add view_endpoint test * ui tests: add view_endpoint test
) * Add input validation (branch to release num) for the release gha * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Update .github/workflows/release-1-create-pr.yml Co-authored-by: valentijnscholten <[email protected]> * Resolving merge conflict --------- Co-authored-by: valentijnscholten <[email protected]>
…ssue (Serious) (#12051) * Update dojo.css * Update package-lock.json
Bumps [ruff](https://github.com/astral-sh/ruff) from 0.11.7 to 0.11.8. - [Release notes](https://github.com/astral-sh/ruff/releases) - [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md) - [Commits](astral-sh/ruff@0.11.7...0.11.8) --- updated-dependencies: - dependency-name: ruff dependency-version: 0.11.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Paul Osinski <[email protected]>
Bumps [boto3](https://github.com/boto/boto3) from 1.38.6 to 1.38.7. - [Release notes](https://github.com/boto/boto3/releases) - [Commits](boto/boto3@1.38.6...1.38.7) --- updated-dependencies: - dependency-name: boto3 dependency-version: 1.38.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Update configure_sso.md * Update configure_sso.md
Release 2.46.0: Merge Bugfix into Dev
github-actions
bot
added
docker
New Migration
🔴 Risk threshold exceeded.This pull request contains sensitive edits to multiple core files including models, templates, and importers, and introduces potential security risks related to workflow input validation, dependency updates, secret exposure, and workflow execution controls that may require careful review and mitigation.
|
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/models.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/product/helpers.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/templates/base.html
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
⚠️ Configured Codepaths Edit in dojo/importers/base_importer.py
| Vulnerability | Configured Codepaths Edit |
|---|---|
| Description | Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml. |
💭 Unconfirmed Findings (5)
| Vulnerability | Dependency Version Update Risks |
|---|---|
| Description | Multiple workflows and Dockerfiles updated dependencies with potential unknown security implications. Risks include introducing unexpected behaviors or subtle security changes, affecting files like .github/workflows/, Dockerfile.*, docker-compose.yml, and components/package.json. |
| Vulnerability | Workflow Input Validation Vulnerabilities |
|---|---|
| Description | Some workflows modified input handling, potentially exposing risks in input validation. Specific risks identified in release-x-manual-merge-container-digests.yml and release-2-tag-docker-push.yml, with potential for input manipulation or bypass of intended workflow controls. |
| Vulnerability | Secret and Credential Exposure Risks |
|---|---|
| Description | Workflows using secrets: inherit could expose more secrets than necessary. Hardcoded Git user credentials in release workflows and DockerHub credential usage present potential exposure risks. |
| Vulnerability | Potential Information Disclosure |
|---|---|
| Description | Email addresses and repository-specific conditions could leak internal information. External links in documentation files might introduce tracking or redirection risks. |
| Vulnerability | Workflow Execution and Tagging Risks |
|---|---|
| Description | Identified risks include unrestricted cron schedules, force pushing Git tags, and reduced image tagging controls that could potentially compromise workflow security and integrity. |
We've notified @mtesauro.
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release triggered by
rossops