[QGIS-Developer] Existing plugin versions should not be marked with "security issues"
Greg Troxel
gdt at lexort.com
Mon Jun 22 04:49:13 PDT 2026
Julien Cabieces <julien.cabieces at oslandia.com> writes:
> Hi,
>
>> How is this different from telling the scanner to ignore it? It seems
>> like laundering input via steps the scanner doesn't follow.
>
> It's not that much different I agree, but I least you have to spend a
> few minutes to think how you could fix (if possible) this security
> issue. If you just have to write #noseq, I'm afraid it would be the easy
> way to solve any security issues and the scanner would become completely
> useless.
>
> I think we could:
> - accept the #noseq for now
> - think and document appropriate ways to fix every type of issue nicely (adding parameters for
> executeSql for instance)
> - Point plugin developers to this documentation when there are security
> issues (or code contains #noseq)
> - disable #noseq for each issue type individually when there is an
> alternative (and after a long enough periode of time)
I see the big issue as defining what properties this is intended to
achieve, or if it's just trying to avoid dangerous, unintended, bugs.
I think overriding the scanner should be done by someone other than the
plugin author, based on a belief that the code is safe and the scanner
is wrong. Waiving your own warnings seems unsound.
More information about the QGIS-Developer
mailing list