Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Direct Renovate to ignore MySQL and RabbitMQ packages #10512

Merged
merged 1 commit into from
Jul 8, 2024

Conversation

cneill
Copy link
Contributor

@cneill cneill commented Jul 3, 2024

Description

Since we have deprecated MySQL and RabbitMQ as of v2.36.0, this PR will remove them from the list of packages for which Renovate will open PRs for every version bump (as seen with e.g. #10502 #10510). This is part of our gradual removal of these packages now that they are no longer supported.

This PR should be reverted once these packages are totally removed.

Test results

N/A

Documentation

N/A

Copy link

dryrunsecurity bot commented Jul 3, 2024

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

This code change is related to the configuration of the Renovate bot, which is a tool used for automating dependency updates in software projects. The key changes include ignoring specific dependencies (MySQL and RabbitMQ), excluding certain file paths from the update process, updating the commit message format for dependency updates, and mapping a registry alias.

From an application security perspective, the most interesting aspect of this change is the exclusion of the "mysql" and "rabbitmq" dependencies from being automatically updated. This could be a security-related decision, as these dependencies may be critical to the application's functionality and should be updated with caution to avoid introducing vulnerabilities. Additionally, the exclusion of certain file paths could also be a security-related decision, as it may exclude files or directories that contain sensitive information or are critical to the application's security.

Overall, this code change appears to be a routine update to the Renovate bot configuration, with a focus on controlling which dependencies are automatically updated and which files are excluded from the update process. While there are no obvious security concerns, it's important to review the impact of such changes on the overall security posture of the application.

Files Changed:

  • .github/renovate.json: This file contains the configuration for the Renovate bot, which is used to automate dependency updates in the project. The changes include:
    • Ignoring the "mysql" and "rabbitmq" dependencies, which could be a security-related decision.
    • Excluding additional file paths, such as "requirements.txt", "components/package.json", and others, from the update process, which could also be a security-related decision.
    • Updating the commit message format for dependency updates to include the current and new versions, as well as the package file that was updated.
    • Mapping the "bitnami" registry to the "https://charts.bitnami.com/bitnami" URL.

Powered by DryRun Security

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch merged commit 3e096e1 into DefectDojo:bugfix Jul 8, 2024
124 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants