Django 6 release broke web interface

[migus-rs]

Problem description

After starting EMBArk, opening any report or the "/tracker" endpoint on the web interface, a 500 Internal Server Error is returned. Other parts of the interface work fine.

To Reproduce

Steps to reproduce the behavior:

1. EMBArk installation (default mode)
2. Start EMBArk: sudo ./run-server.sh
3. Try opening http://embark.local/tracker/ or http://embark.local/emba_logs/<id>/index.html
4. See error

Expected behavior

The web interface is expected to work as described.

Desktop (please complete the following information):

• OS: Kubuntu 24.04 VM

Additional context

After digging through the logs (originally chasing another network-related issue), I came across some errors about incorrectly calling format_html without parameters being thrown when trying to access the affected pages.

A quick fix attempt

A quick search led me to this Django Ticket describing the behavior I was seeing.
In fact, when checking embark/tracker/tables.py I was able to verify the "misuse" of passing Python format-strings to the format_html function as described in the ticket.

As a quick fix, changing the two occurences to pass arguments as expected by Django fixed the /tracker endpoint, but report display remained broken.

diff --git a/embark/tracker/tables.py b/embark/tracker/tables.py
index 4a5b4a23..2e16965f 100644
--- a/embark/tracker/tables.py
+++ b/embark/tracker/tables.py
@@ -18,7 +18,8 @@ class SimpleDeviceTable(tables.Table):
         orderable = True
 
     def render_id(self, value):
-        return format_html(f"<a href=\"{reverse(viewname='embark-tracker-device', args=[value])}\">{value}</a>")
+        return format_html("<a href=\"{}\">{}</a>", reverse(viewname='embark-tracker-device', args=[value]), value)
 
 
 class SimpleSBOMTable(tables.Table):
@@ -47,4 +48,5 @@ class SimpleResultTable(tables.Table):
         fields = ("firmware_analysis", "date", "vulnerability", "sbom_id", )
 
     def render_sbom_id(self, value):
-        return format_html(f"<a href=\"{reverse(viewname='embark-tracker-sbom', args=[value])}\">{value}</a>")
+        return format_html("<a href=\"{}\">{}</a>", reverse(viewname='embark-tracker-sbom', args=[value]), value)

As I have never worked with Django, I'm not sure this is the appropriate solution, so I include it here instead of opening a pull request.

Root cause

The remaining errors quickly made me think this was not a simple call convention problem.
As such, I had a look at what had gone wrong.

As it turns out, this is a combination of three things resulting in failure:

1. The shipped Pipfile.lock specifies django as 5.2.10 (code)
2. The shipped Pipfile does not specify a version range (code)
3. Executing run-server.sh forces pipenv update at least on first run, fetching the latest upstream django, currently version 6.0.3 (code)

Seemingly the newly pulled in Django 6 breaks some things that are still working in Django 5.
As I am no expert in the matter, I fixed it following Pipfile documentation by forcing the django dependency to be a release of major version 5.

diff --git a/Pipfile b/Pipfile
index 9212e49a..816859cc 100644
--- a/Pipfile
+++ b/Pipfile
@@ -12,7 +12,7 @@ Rx = "*"
 inotify-simple = "*"
 psutil = "*"
 msgpack = "*"
-django = "*"
+django = ">=5,<6"
 django-hashid-field = "*"
 django-tables2 = "*"
 requests = "*"

Again, as I have never worked with Django, I'm not sure this has any unintended side-effects, so I include it here instead of opening a pull request.