mark_safe when the input is provided by trusted administrators
lxml where we control the HTML or XML file
md5 or random for non-cryptographic uses (hashing OCDS data, etc.)
eval where the format is known (e.g. Python dicts in Scrapy logs)
pickle in spoonbill for the statistics object
subprocess in a manage.py file where we provide the input
The true positives include:
Very narrow cases like a reviewed extension becoming compromised, and its README.md file being changed. This just means CI starts failing. Can use defusedxml instead.
bandit
mark_safewhen the input is provided by trusted administratorslxmlwhere we control the HTML or XML filemd5orrandomfor non-cryptographic uses (hashing OCDS data, etc.)evalwhere the format is known (e.g. Python dicts in Scrapy logs)picklein spoonbill for the statistics objectsubprocessin amanage.pyfile where we provide the input0.0.0.0toALLOWED_HOSTSfor Docker – not sure how much of a concern it is when used outside Docker https://bandit.readthedocs.io/en/1.7.4/plugins/b104_hardcoded_bind_all_interfaces.htmlI've added a link to it in the QASP, but otherwise it seems to just be noise for our projects.
codespell
Added to docs and documentation-heavy repositories.
flake8-comprehensions
Added to standard-maintenance-scripts.
safety
We use dependabot instead.