django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Bump selenium

Open cneill opened this issue 1 year ago • 2 comments

Description

This moves the dependencies currently installed in the integration tests Dockerfile into a dedicated requirements.txt and bumps Selenium from 4.9.0 to 4.23.0.

cneill avatar Aug 23 '24 16:08 cneill

DryRun Security Summary

The provided code changes focus on improving the testing infrastructure of the DefectDojo application, including updates to Python dependency management, the Dockerfile for the integration test environment, and the entrypoint script for running the integration tests, with the overall goal of enhancing the reliability, maintainability, and security of the testing environment.

Expand for full summary

Summary:

The provided code changes cover various aspects of the application's testing infrastructure, including updates to the Python dependency management, the Dockerfile used for the integration test environment, and the entrypoint script for running the integration tests.

From an application security perspective, the changes generally demonstrate a positive approach to improving the reliability, maintainability, and security of the testing environment. Key highlights include:

  1. The use of a requirements file for managing Python dependencies, which allows for better dependency management and version control.
  2. The secure installation of the latest stable version of Google Chrome and its dependencies, reducing the risk of using outdated or potentially vulnerable versions.
  3. The comprehensive set of integration tests covering various aspects of the application, including API schema validation, which is crucial for identifying and addressing potential security vulnerabilities.

While there are a few minor concerns, such as the temporary debugging commands and the use of the --no-sandbox option when running Chrome in headless mode, these issues can be easily addressed by removing the temporary commands and exploring more secure alternatives for running the browser in the test environment.

Overall, the code changes appear to be focused on improving the testing infrastructure and ensuring the ongoing security and integrity of the DefectDojo application.

Files Changed:

  1. requirements-int.txt: This file has been updated to include two new dependencies: selenium==4.23.0 and requests==2.32.3. These are common and widely-used libraries that do not typically introduce significant security risks when used properly.
  2. tests/base_test_class.py: The changes in this file focus on updating the Selenium WebDriver configuration for running UI tests, including setting up the Chrome binary location, configuring logging preferences, and initializing the Chrome WebDriver service. These changes aim to provide a more robust and configurable WebDriver setup, improving the reliability of the UI tests.
  3. Dockerfile.integration-tests-debian: The changes in this Dockerfile improve the reliability, maintainability, and security of the integration test environment. Key updates include using a requirements file for managing dependencies, securely installing the latest stable version of Google Chrome and its dependencies, and installing additional necessary packages for running the integration tests.
  4. docker/entrypoint-integration-tests.sh: The changes in this script include some temporary debugging commands, as well as commented-out commands for running Chrome in headless mode with the --no-sandbox option. These temporary debugging commands should be removed, and the use of the --no-sandbox option should be carefully reviewed to ensure a more secure configuration.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

:green_circle: Risk threshold not exceeded.

View PR in the DryRun Dashboard.

dryrunsecurity[bot] avatar Aug 23 '24 16:08 dryrunsecurity[bot]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

github-actions[bot] avatar Sep 03 '24 20:09 github-actions[bot]

It looks like there has not been any activity here for a while. In order to keep the list of pull requests in a manageable state, we are closing this one for now. If we are making a mistake here, please reopen the pull request, and leave us a note 😄

Maffooch avatar Nov 15 '24 22:11 Maffooch