feat(bash-script): Drop all dc- scripts

[kiblik]

Since DD does not support MySQL and RabbitMQ, dc- scripts do not have additional values (they existed to simplify usage of --profile and --env-file parameters). Now they are more limiting as they support only one additional parameters.

As only one DB backed and one MB backed is used, --no-deps is no longer needed.

Scripts for unittests and integration tests are still useful (from my perspective). But they have been renamed to decrease confusion as to why they are named that way.

[dryrunsecurity]

DryRun Security Summary

The code changes primarily focus on updating Docker Compose-based deployment and testing infrastructure in DefectDojo, including removal of the '--no-deps' flag, documentation updates, and script modifications, while maintaining security considerations around input validation, sensitive information handling, and Docker image sources.

Expand for full summary

Summary:

The provided code changes cover various updates and improvements to the DefectDojo application, primarily focused on the Docker Compose-based deployment and testing infrastructure. The changes do not appear to introduce any significant security vulnerabilities, but there are a few areas that warrant further consideration from an application security perspective:

1. Input Validation: Some of the scripts, such as run-unittest.sh, do not perform strict input validation on the provided arguments. This could potentially lead to command injection vulnerabilities if the input is not properly sanitized.

2. Sensitive Information Exposure: The test output may contain sensitive information, such as database credentials or API keys. Ensure that the test execution and output handling do not expose any confidential data.

3. Test Case Review: The ability to run specific test cases provides flexibility, but it's important to review the test cases to ensure they do not contain any malicious code or logic that could compromise the application or the underlying system.

4. Docker Image Sources: While the changes mention the use of specific Docker image versions, it's crucial to ensure that these images are obtained from a trusted and secure source, such as a private Docker registry or a verified Docker Hub repository, to mitigate the risk of introducing malicious code or vulnerabilities.

5. Ongoing Security Monitoring: Even though the changes themselves do not introduce obvious security risks, it's essential to continuously monitor the DefectDojo application and its infrastructure for any emerging vulnerabilities or security concerns, and to apply updates and patches in a timely manner.

Files Changed:

1. .github/workflows/rest-framework-tests.yml: The changes remove the --no-deps flag from the docker compose up command, which ensures that all necessary Docker containers are started during the unit tests.
2. .github/workflows/integration-tests.yml: The changes remove the --no-deps flag from the docker compose up commands and introduce timeout settings for the initialization and integration tests.
3. .github/workflows/fetch-oas.yml: The changes remove the --no-deps flag from the docker compose up command in the "Start Dojo" step.
4. README.md: The changes update the instructions for running DefectDojo using Docker Compose V2.
5. docs/content/en/open_source/contributing/how-to-write-a-parser.md: The changes provide updated instructions for running unit tests for parsers in the DefectDojo project.
6. docs/content/en/open_source/upgrading/2.43.md: The changes document updates to the "disclaimer" field, the removal of dc- scripts, and changes to the hash code calculation for the Rusty Hog parser.
7. docs/content/en/open_source/upgrading/_index.md: The changes update the instructions for upgrading a DefectDojo installation using Docker Compose.
8. readme-docs/DOCKER.md: The changes improve the documentation and provide more clarity around the Docker Compose setup for running the DefectDojo application.
9. run-integration-tests.sh: The changes update the script to use the docker compose command instead of the deprecated docker-compose command.
10. run-unittest.sh: The script allows the execution of a specific test case, but it does not perform strict input validation on the provided argument.

Code Analysis

We ran 9 analyzers against 16 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving DefectDojo's deployment, testing, and documentation through various file changes, with an emphasis on maintaining application security by addressing potential vulnerabilities in Docker configurations, input validation, testing practices, and documentation management.

Expand for full summary

Summary:

The provided code changes span multiple files and focus on various aspects of the DefectDojo project, including documentation updates, GitHub Actions workflows, and script modifications. From an application security perspective, the changes do not introduce any obvious security vulnerabilities, but there are a few areas that should be considered:

1. Docker Compose and Container Security: The changes involve updates to the Docker Compose configuration and scripts, which are important for ensuring the secure deployment and operation of the DefectDojo application. It's crucial to maintain a vigilant approach to container security, including proper configuration, dependency management, and image scanning.

2. Input Validation and Sanitization: Some of the changes involve the use of user-supplied input, such as environment variables and test case names. It's important to ensure that these inputs are properly validated and sanitized to prevent potential injection attacks (e.g., SQL injection, command injection).

3. Secure Testing Practices: The changes include updates to the unit and integration testing workflows. While testing is a crucial aspect of application security, it's important to ensure that the test data and environment do not contain any sensitive information that could be accidentally exposed or misused.

4. Secure Documentation and Configuration Management: The documentation updates, such as the instructions for upgrading and running DefectDojo, are important for ensuring that users can securely deploy and maintain the application. It's crucial to keep these documents up-to-date and accurate, and to consider the security implications of any changes.

Overall, the changes in this pull request appear to be focused on improving the deployment, testing, and documentation of the DefectDojo project, which is a positive step from an application security perspective. However, it's important to continue to monitor the project's security posture and address any potential vulnerabilities that may arise.

Files Changed:

1. README.md: The changes introduce instructions for running DefectDojo using Docker Compose V2 and provide guidance for the older Docker Compose V1. The changes do not introduce any obvious security concerns.

2. .github/workflows/integration-tests.yml: The changes remove the --no-deps flag from the docker compose up commands, ensuring that all necessary containers are started. This is a positive security enhancement.

3. .github/workflows/rest-framework-tests.yml: The changes remove the --no-deps flag from the docker compose up command, which is a security improvement. However, the use of raw SQL queries in the getPastOrderCount() method should be reviewed for potential SQL injection vulnerabilities.

4. .github/workflows/fetch-oas.yml: The changes remove the --no-deps flag from the docker compose up command, which is a positive change. However, the use of hardcoded versions and the potential for a denial of service (DoS) situation should be considered.

5. docs/content/en/open_source/upgrading/2.43.md: The changes are primarily documentation updates, which do not introduce any obvious security concerns.

6. docs/content/en/open_source/upgrading/_index.md: The changes focus on improving the upgrade process, which is a positive security practice.

7. docs/content/en/open_source/contributing/how-to-write-a-parser.md: The changes update the instructions for running unit tests for parsers, which is a positive security practice.

8. run-integration-tests.sh: The changes improve the integration testing process and do not introduce any obvious security concerns, but the use of environment variables should be reviewed for potential security implications.

9. docs/content/en/open_source/upgrading/upgrading_guide.md: The changes provide instructions for upgrading the DefectDojo application, focusing on security-related aspects such as database migrations and versioning.

10. readme-docs/DOCKER.md: The changes streamline the Docker Compose instructions and include guidance on running the application with HTTPS, which is a security best practice.

11. run-unittest.sh: The changes are minor and do not introduce any obvious security concerns, but the input validation and secure test data should be reviewed.

Code Analysis

We ran 9 analyzers against 16 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[mtesauro]

Thanks for this PR - it was on my list of things to simplify in DefectDojo so it's as easy to use as is feasible and, like you noticed, not having MySQL & RabbitMQ support means those dc- things are no longer necessary 👍

[mtesauro]

Approved

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.