chore(deps): update redis docker tag from 7.2.11 to v7.4.6 (docker-compose.yml) - abandoned - autoclosed

[renovate]

This PR contains the following updates:

Package	Update	Change
redis	minor	7.2.11-alpine -> 7.4.6-alpine

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dryrunsecurity]

DryRun Security Summary

The Redis service image is being updated from 7.2.5 to 7.4.2, while security concerns were identified regarding hardcoded sensitive environment variables including database credentials and secret keys in docker-compose.yml.

Expand for full summary

The PR updates the Redis service image version from 7.2.5 to 7.4.2 in docker-compose.yml, with potential version-specific security patches. Security findings include:

1. Hardcoded sensitive environment variables in docker-compose.yml:
   • Database credentials (DD_DATABASE_USER, DD_DATABASE_PASSWORD)
   • Secret keys (DD_SECRET_KEY, DD_CREDENTIAL_AES_256_KEY)
     These default credentials pose a significant security risk if not changed in production environments.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[cneill]

We're going to hold off on this one while we determine any implications of the change to Redis' licensing

Reviewing license change

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[dryrunsecurity]

This pull request identifies a potential security risk in the Redis image configuration, where pinning to a specific digest may delay critical security updates and requires a manual review process to ensure timely patching.

⚠️ Dependency Update Risk in docker-compose.yml

Vulnerability	Dependency Update Risk
Description	The Redis image is pinned to a specific digest (7.4.4-alpine), which can potentially delay security updates. While this provides image immutability, it requires manual intervention to incorporate security patches. The team should establish a process for regularly reviewing and updating image digests to mitigate potential security risks.

django-DefectDojo/docker-compose.yml

Lines 114 to 120 in 73794a9

	- defectdojo_postgres:/var/lib/postgresql/data
	redis:
	# Pinning to this version due to licensing constraints
	image: redis:7.4.4-alpine@sha256:ee9e8748ace004102a267f7b8265dab2c618317df22507b89d16a8add7154273
	volumes:
	- defectdojo_redis:/data
	volumes:

---

All finding details can be found in the DryRun Security Dashboard.

[mtesauro]

The new license for 7.4.x causes issues with our open source stance and being part of OWASP - being an OWASP project we should be using only OSI approved licenses.

[Maffooch]

blocking

[valentijnscholten]

@mtesauro I suggest we close/ignore this one and focus in v8? #12389

[mtesauro]

Update on this - we're looking at migrating to ValKey - that is currently being run on the public demo without issues.

[dryrunsecurity]

This pull request pins Redis to version 7.4.6 in docker-compose.yml, which is within the range affected by CVE-2025-49844 (allows an authenticated user to exploit a specially crafted Lua script). Consider upgrading Redis to a non-vulnerable version (e.g., >8.2.1) or verifying the digest points to a patched image.

Vulnerable Dependency Version in docker-compose.yml

Vulnerability	Vulnerable Dependency Version
Description	The docker-compose.yml specifies redis:7.4.6-alpine pinned to a SHA256 digest. Assuming this digest corresponds to the 7.4.6-alpine tag, Redis version 7.4.6 is vulnerable to CVE-2025-49844. This CVE affects Redis versions 8.2.1 and below, allowing an authenticated user to exploit a weakness via a specially crafted Lua script.

django-DefectDojo/docker-compose.yml

Lines 132 to 135 in bffb20d

	image: redis:7.4.6-alpine@sha256:3b73847e72874be07e6657b129a94761662b79bc0f679273757d4218573b2a98
	volumes:
	- defectdojo_redis:/data
	volumes:

---

All finding details can be found in the DryRun Security Dashboard.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions]

This pull request has conflicts, please resolve those before we can evaluate the pull request.