Security Policy¶
Because QDT is meant to be carried out on large-scale IT infrastructures, security is one of the development challenges. It’s enforced through automated checks, which are mainly executed in CI. You can also run the most of them manually.
Automated security checks¶
GitGuardian: detects secrets in the source code to help developers and security teams secure the modern development process.
Github Code QL: GitHub integrated tool to discover vulnerabilities across a codebase
Dependabot Alerts: GitHub integrated tool that keeps dependencies up to date by informing of any security vulnerabilities in project’s dependencies, and automatically opens pull requests to upgrade dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published.
GitHub secret scanning: integrated Github secrets scanning to receive alerts for detected secrets, keys, or other tokens.
Bandit: Bandit is a tool designed to find common security issues in Python code. Aslo executed for every commit as git hook.
Safety: Safety is a tool (part of PyUp security suite) designed to scan dependencies.
Supported Versions¶
We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating.
For now, no vulnerability has been found.
Reporting a Vulnerability¶
Please report (suspected) security vulnerabilities to qgis+security@oslandia.com. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
Run security checks manually¶
Some checks can be executed on the developer side.
Run Bandit check¶
In a terminal:
bandit --configfile bandit.yaml --format screen -r qgis_deployment_toolbelt
It’s also possible to get results as a CSV:
bandit --configfile bandit.yaml --format csv --output bandit_report.csv -r qgis_deployment_toolbelt
Then open the bandit_report.csv
file.
Run Safety check¶
In a terminal:
safety check --full-report --output screen -r requirements/base.txt
It’s also possible to get results in a text format:
safety check --full-report --output text -r requirements/base.txt > safety_report.txt
Then open the safety_report.txt
file.