Skip to content

minor: use django.conf.settings over dojo.settings everywhere#14434

Open
fopina wants to merge 3 commits intoDefectDojo:devfrom
fopina:fork_friendly/settings_module
Open

minor: use django.conf.settings over dojo.settings everywhere#14434
fopina wants to merge 3 commits intoDefectDojo:devfrom
fopina:fork_friendly/settings_module

Conversation

@fopina
Copy link
Contributor

@fopina fopina commented Mar 2, 2026

Description

I was having issues when setting DJANGO_MODULE_SETTINGS to a custom module and noticed dojo.settings was imported directly in some places

  • wsgi.py
    • I can't find anything using this file (only dojo/wsgi.py)
    • typical django project does not have it either - only mainapp/wsgi.py and it is currently here
    • deleted
  • dojo/location/models.py - setting read from dojo.settings instead of django.conf.settings
    • replaced use with django.conf.settings
    • also moved to app.ready() to avoid triggering LazySettings evaluation at model import time
  • widgets.py - also replace dojo.settings direct use

@fopina fopina requested review from Maffooch and mtesauro as code owners March 2, 2026 23:34
@fopina fopina changed the base branch from master to dev March 2, 2026 23:34
@fopina fopina marked this pull request as draft March 3, 2026 07:15
@fopina fopina marked this pull request as ready for review March 3, 2026 09:44
@dryrunsecurity
Copy link

dryrunsecurity bot commented Mar 3, 2026
edited
Loading

DryRun Security

🔴 Risk threshold exceeded.

This pull request modifies a sensitive file (dojo/reports/widgets.py) flagged by the scanner for a configured codepath edit; review is needed or adjust allowed authors/paths in .dryrunsecurity.yaml.

🔴 Configured Codepaths Edit in dojo/reports/widgets.py (drs_8bc22070)
Vulnerability Configured Codepaths Edit
Description Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

We've notified @mtesauro.

Comment to provide feedback on these findings.

Report false positive: @dryrunsecurity fp [FINDING ID] [FEEDBACK]
Report low-impact: @dryrunsecurity nit [FINDING ID] [FEEDBACK]

Example: @dryrunsecurity fp drs_90eda195 This code is not user-facing

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten added the affects_pro PRs that affect Pro and need a coordinated release/merge moment. label Mar 4, 2026
@valentijnscholten
Copy link
Member

valentijnscholten commented Mar 4, 2026

Let's verify it doesn't break Pro.

@valentijnscholten valentijnscholten added this to the 2.57.0 milestone Mar 4, 2026
@valentijnscholten
Copy link
Member

valentijnscholten commented Mar 4, 2026

https://github.com/DefectDojo-Inc/dojo-pro/actions/runs/22684307629

@fopinappb
Copy link

fopinappb commented Mar 6, 2026

@valentijnscholten for those without access to pro, was that a good or a bad run? 😄

@Maffooch Maffooch requested review from blakeaowens and dogboat March 9, 2026 17:11
dogboat
dogboat requested changes Mar 9, 2026
View reviewed changes
dojo/apps.py Outdated

from dojo.location.models import Location # noqa: PLC0415 raised: AppRegistryNotReady

auditlog.register(Location)
Copy link
Contributor

@dogboat dogboat Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question (for everybody) -- we're using pghistory now right? So we could actually just get rid of this entirely maybe? (By which I mean: leave location/models.py updated as it is, and just don't touch this file at all.)

Copy link
Contributor

@dogboat dogboat Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And yes, registering Location with auditlog is my fault. ;-)

Copy link
Member

@valentijnscholten valentijnscholten Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it should go indeed

Copy link
Contributor Author

@fopina fopina Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I just remove apps.py changes then, leaving the rest?

Copy link
Member

@valentijnscholten valentijnscholten Mar 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

Copy link
Contributor Author

@fopina fopina Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR updated 👍

@fopina fopina requested a review from dogboat March 10, 2026 00:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro Awaiting requested review from mtesauro mtesauro is a code owner

@valentijnscholten valentijnscholten Awaiting requested review from valentijnscholten

@blakeaowens blakeaowens Awaiting requested review from blakeaowens

@dogboat dogboat Awaiting requested review from dogboat

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

affects_pro PRs that affect Pro and need a coordinated release/merge moment. docker

Projects

None yet

Milestone

2.57.0

Development

Successfully merging this pull request may close these issues.

5 participants

@fopina @valentijnscholten @fopinappb @dogboat @Maffooch