[QGIS-Developer] Existing plugin versions should not be marked with "security issues"
Raymond Nijssen
r.nijssen at terglobo.nl
Wed Jun 17 09:40:20 PDT 2026
Hi, I'm having this security issue with Bandit and cannot publish my
plugin. But the executeSql() does not take separate parameters. What
would be the proper solution here?
Possible SQL injection vector through string-based query construction.
104 q = f'DELETE FROM imaer_metadata WHERE key = \'{key}\';'
105 self.conn.executeSql(q)
(Instead of putting # nosec behind the lines as explained here:
https://lists.osgeo.org/pipermail/qgis-developer/2026-June/068337.html
)
Regards,
Raymond
On 4/23/26 14:58, Johannes Kröger (WhereGroup) via QGIS-Developer wrote:
> Hi,
>
> the plugins repository now *publicly* denounces plugins when its
> security scan has flagged something.
> I use the word "denounce" aggressively here because as a plugin
> developer it is not nice to have plugins *which do not actually have
> security issues* brandished insecure with a BIG RED WARNING, losing
> trust of their users.
>
> The rules are not perfect and at least for plugins where I have insight
> the false positive rate is higher than the correct flags...
> For example it flags any requests.get() call without a timeout. The
> worst that can happen is a hanging QGIS, big whoop...
> It also flags hashes as secrets and I fail to see how this is helpful
> for plugins that are *already published and accessible*.
>
> Please revert the public display of this badge for now. If it is planned
> to publicly flag existing plugin versions, give developers ample time to
> review, fix or dispute the findings.
>
> Sorry for the aggressive tone but this was unexpected and is very
> unpleasant to deal with.
> I do think that the scanning and potential blocking of new versions is a
> great feature (thank you for it!) but the retrospective scanning with
> public display without human validation is not.
>
> Cheers, Hannes
>
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
More information about the QGIS-Developer
mailing list