[QGIS-Developer] Existing plugin versions should not be marked with "security issues"
C Hamilton
adenaculture at gmail.com
Thu Apr 23 08:22:18 PDT 2026
I have some issues with this. For example my Lat Lon Tools plugin is tagged
and here are the reasons. It is identifying these two lines as hazardous.
__base32 = '0123456789bcdefghjkmnpqrstuvwxyz'
lontile_ = "ABCDEFGHJKLMNPQRSTUVWXYZ"
I think it is important for security scans, but when it comes to lines of
code like this that have been flagged with it is a problem.
With KML Tools here are the lines of code being flagged.
parser = xml.sax.make_parser()
kml_str = xml.dom.minidom.parseString(xml_str.encode("utf-8"))
Thanks,
Calvin
On Thu, Apr 23, 2026 at 8:59 AM Johannes Kröger (WhereGroup) via
QGIS-Developer <qgis-developer at lists.osgeo.org> wrote:
> Hi,
>
> the plugins repository now *publicly* denounces plugins when its
> security scan has flagged something.
> I use the word "denounce" aggressively here because as a plugin
> developer it is not nice to have plugins *which do not actually have
> security issues* brandished insecure with a BIG RED WARNING, losing
> trust of their users.
>
> The rules are not perfect and at least for plugins where I have insight
> the false positive rate is higher than the correct flags...
> For example it flags any requests.get() call without a timeout. The
> worst that can happen is a hanging QGIS, big whoop...
> It also flags hashes as secrets and I fail to see how this is helpful
> for plugins that are *already published and accessible*.
>
> Please revert the public display of this badge for now. If it is planned
> to publicly flag existing plugin versions, give developers ample time to
> review, fix or dispute the findings.
>
> Sorry for the aggressive tone but this was unexpected and is very
> unpleasant to deal with.
> I do think that the scanning and potential blocking of new versions is a
> great feature (thank you for it!) but the retrospective scanning with
> public display without human validation is not.
>
> Cheers, Hannes
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260423/fdcee06b/attachment-0001.htm>
More information about the QGIS-Developer
mailing list