[QGIS-Developer] Existing plugin versions should not be marked with "security issues"

Etienne Trimaille etienne.trimaille at gmail.com
Fri Jun 19 04:28:19 PDT 2026


Hi,

Le ven. 19 juin 2026 à 09:49, Johannes Kröger (WhereGroup) via
QGIS-Developer <qgis-developer at lists.osgeo.org> a écrit :

> In the meantime I can recommend psycopg's


Personally, I would not use Psycopg, as it will bypass QGIS settings, and
mainly queries will not be shown in QGIS logs and/or in the PostgreSQL log
panel, which is IMHO quite nice. Like in the webbrowser, in the dev tools,
we can see "all" requests, loading scripts etc.

Even if the plugin is doing some work under the hood, it's important to see
outgoing requests made when loading QGIS, loading a project, panning on the
map etc ...

As Julien said, It seems that just a call to "format" with a Python
dictionary might be enough for now :

sql = "SELECT * FROM {schema}.foo"params = {
    "schema": "test",
}sql = sql.format(**params)

This snippet looks fine for Bandit.

I also agree with Julien with the usage of "nosec". It depends on the final
purpose of these checks, but if the idea is to "control" a little bit what
the plugin can do, indeed, to disable "nosec" etc should be the way to go,
otherwise developers won't care anymore about these checks.

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20260619/beae19df/attachment.htm>


More information about the QGIS-Developer mailing list