Deprecate Python-jose and migrate okta to python_social_auth

[manuel-sommer]

Python-jose can be deprecated if we switch to python_social_auth

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	❌	2 findings
Sensitive Files Analyzer	❕	1 finding
AppSec Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	1 finding
Secrets Analyzer	✅	0 findings

Note

🔴 Risk threshold exceeded. Adding a reviewer if one is configured in .dryrunsecurity.yaml.

notification list: @mtesauro @grendel513

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖.
Note that this summary is auto-generated and not meant to be a definitive list of security issues
but rather a helpful summary from a security perspective.

Summary:

The changes in this pull request focus on updating the authentication backends used in the DefectDojo application and modifying the Python dependencies required for the application.

The key changes to the authentication backends include replacing the custom 'dojo.okta.OktaOAuth2' backend with the standard 'social_core.backends.okta.OktaOAuth2' backend, and changing the order of the authentication backends to prioritize Okta authentication. These changes are likely to improve the overall authentication security of the DefectDojo application by leveraging a well-maintained library and enforcing stronger authentication requirements.

The changes to the requirements.txt file involve the removal of the Python-jose dependency and the addition or update of several security-related dependencies, such as django-ratelimit, argon2-cffi, and vulners. These changes suggest that the application is taking measures to improve its security posture, including implementing rate limiting, secure password hashing, and integration with vulnerability databases.

Files Changed:

1. dojo/settings/settings.dist.py:

   • The 'dojo.okta.OktaOAuth2' backend is replaced with 'social_core.backends.okta.OktaOAuth2'.
   • The order of the authentication backends is changed, with the Okta backend now listed before the default Django authentication backend.

2. requirements.txt:

   • The Python-jose dependency has been removed.
   • Several new dependencies have been added or updated, including security-related libraries such as django-ratelimit, argon2-cffi, and vulners.

Overall, the changes in this pull request appear to be positive security improvements for the DefectDojo application, focusing on enhancing the authentication process and updating the application's dependencies to address potential vulnerabilities and improve the overall security posture.

Powered by DryRun Security

[manuel-sommer]

I just saw that python-jose is used

django-DefectDojo/dojo/okta.py

Line 8 in f66e6db

from jose import jwt

We also have PyJWT in requirements.txt How about migrating okta.py to PyJWT?

What is your opinion @Maffooch and @cneill ?

[manuel-sommer]

https://nvd.nist.gov/vuln/detail/CVE-2024-33664
https://nvd.nist.gov/vuln/detail/CVE-2024-33663

[Maffooch]

We could probably get rid of our version of the okta backend and instead use https://github.com/python-social-auth/social-core/blob/master/social_core/backends/okta.py

At the time, the PR to add the okta backend https://github.com/python-social-auth/social-core was not getting in quick enough for DefectDojo, so we copied the code, and pasted it in here

[manuel-sommer]

Done @Maffooch. Could you give me feedback here?