Security Policy

Because QDT is meant to be carried out on large-scale IT infrastructures, security is one of the development challenges. It’s enforced through automated checks, which are mainly executed in CI. You can also run the most of them manually.

Automated security checks

  • GitGuardian: detects secrets in the source code to help developers and security teams secure the modern development process.

  • Github Code QL: GitHub integrated tool to discover vulnerabilities across a codebase

  • Dependabot Alerts: GitHub integrated tool that keeps dependencies up to date by informing of any security vulnerabilities in project’s dependencies, and automatically opens pull requests to upgrade dependencies to the next available secure version when a Dependabot alert is triggered, or to the latest version when a release is published.

  • GitHub secret scanning: integrated Github secrets scanning to receive alerts for detected secrets, keys, or other tokens.

  • Bandit: Bandit is a tool designed to find common security issues in Python code. Aslo executed for every commit as git hook.

  • Safety: Safety is a tool (part of PyUp security suite) designed to scan dependencies.

Supported Versions

We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating.

For now, no vulnerability has been found.

Reporting a Vulnerability

Please report (suspected) security vulnerabilities to qgis+security@oslandia.com. You will receive a response from us within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.

Run security checks manually

Some checks can be executed on the developer side.

Run Bandit check

In a terminal:

bandit --configfile bandit.yaml --format screen -r qgis_deployment_toolbelt

It’s also possible to get results as a CSV:

bandit --configfile bandit.yaml --format csv --output bandit_report.csv -r qgis_deployment_toolbelt

Then open the bandit_report.csv file.

Run Safety check

In a terminal:

safety check --full-report --output screen -r requirements/base.txt

It’s also possible to get results in a text format:

safety check --full-report --output text -r requirements/base.txt > safety_report.txt

Then open the safety_report.txt file.