Add GHA updater for keep sample data at a reasonable date

[Maffooch]

The data in the sample data fixture is super old, and needs to be updated. This PR adds a new binary to slide the dates of all objects forward based on the most recent date in the fixture vs today. So for example, the latest date in this fixture file was in October 2021. This is a little over three years ago, so the binary will slide all dates in the file roughly three years forward

The GHA is set to run quarterly and open up a new PR to be reviewed with the changes outlined above

[sc-9788]

[dryrunsecurity]

DryRun Security Summary

The code changes update a unit test file and a GitHub Actions workflow for sample data, focusing on documentation and test setup modifications, with potential security considerations around data loading, binary usage, and credential management.

Expand for full summary

Summary:

The provided code changes appear to be focused on updating the unit test file test_sample_data.py and a GitHub Actions workflow responsible for updating the sample data file defect_dojo_sample_data.json. From an application security perspective, the changes do not introduce any obvious security concerns, as they primarily involve documentation updates and test setup modifications.

However, there are a few areas that warrant further review and consideration:

1. The use of the call_command function to load data from the fixture file could potentially introduce security risks if the fixture file contains untrusted or malicious data. It's important to ensure that the fixture file is generated from a trusted source and that the data it contains is properly sanitized and validated before being loaded into the application.

2. The GitHub Actions workflow uses a binary called fixture-updater to update the sample data file. The source code of this binary is not provided, so it's essential to review it to ensure that it doesn't introduce any security vulnerabilities, such as command injection, buffer overflows, or other issues.

3. The workflow also hardcodes the Git user name and email in the environment variables, which could be a potential security concern if the bot's credentials are compromised. It's recommended to store sensitive information, such as credentials, in a secure manner, like GitHub Secrets.

Overall, the changes appear to be focused on improving the test suite and documentation, and do not seem to introduce any immediate security concerns. However, it's always important to carefully review any changes to an application, especially those that involve data manipulation or loading, to ensure that they do not introduce any unintended security vulnerabilities.

Files Changed:

1. unittests/test_sample_data.py: The changes in this file involve adding a docstring to the test_loaddata method, which provides the expected command to generate the fixture file defect_dojo_sample_data.json. This change does not introduce any obvious security concerns.

2. .github/workflows/update-sample-data.yml: This GitHub Actions workflow is responsible for updating the sample data file defect_dojo_sample_data.json. The workflow checks out the code, runs a binary called fixture-updater to update the sample data file, configures Git, creates a new branch, commits the changes, and creates a pull request. The main security concerns are the use of the fixture-updater binary and the hardcoded Git credentials in the environment variables.

Code Analysis

We ran 9 analyzers against 4 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[dryrunsecurity]

DryRun Security Summary

The GitHub Actions workflow updates sample data for DefectDojo by automatically creating a pull request with updated data, while considering potential security implications such as hardcoded credentials and ensuring no sensitive information is exposed.

Expand for full summary

Summary:

The code changes in this pull request are related to a GitHub Actions workflow that is responsible for updating the sample data for the DefectDojo application. The workflow can be triggered manually or on a schedule, and it performs the following tasks: checking out the code, updating the sample data file, configuring Git, creating a new branch with the updated data, and creating a pull request to merge the changes into the dev branch.

From an application security perspective, there are a few points to consider. First, the workflow uses hardcoded Git user name and email values, which could be a security concern if these credentials were to be compromised. It's generally recommended to use environment variables or secrets to store sensitive information like this. Second, the workflow uses the GITHUB_TOKEN secret to authenticate with GitHub, which is a common and secure way to handle authentication in GitHub Actions workflows. Finally, it's important to ensure that the sample data file being updated does not contain any real user data or other sensitive information.

Files Changed:

• .github/workflows/update-sample-data.yml: This file contains the GitHub Actions workflow that is responsible for updating the sample data for the DefectDojo application. The workflow can be triggered manually or on a schedule, and it performs the following tasks: checking out the code, updating the sample data file, configuring Git, creating a new branch with the updated data, and creating a pull request to merge the changes into the dev branch.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[mtesauro]

Approved

[dogboat]

Neat!