mark_safe when the input is provided by trusted administrators
lxml where we control the HTML or XML file
md5 or random for non-cryptographic uses (hashing OCDS data, etc.)
eval where the format is known (e.g. Python dicts in Scrapy logs)
pickle in spoonbill for the statistics object
subprocess in a manage.py file where we provide the input
The true positives include:
Very narrow cases like a reviewed extension becoming compromised, and its README.md file being changed. This just means CI starts failing. Can use defusedxml instead.
bandit
mark_safe
when the input is provided by trusted administratorslxml
where we control the HTML or XML filemd5
orrandom
for non-cryptographic uses (hashing OCDS data, etc.)eval
where the format is known (e.g. Python dicts in Scrapy logs)pickle
in spoonbill for the statistics objectsubprocess
in amanage.py
file where we provide the input0.0.0.0
toALLOWED_HOSTS
for Docker – not sure how much of a concern it is when used outside Docker https://bandit.readthedocs.io/en/1.7.4/plugins/b104_hardcoded_bind_all_interfaces.htmlI've added a link to it in the QASP, but otherwise it seems to just be noise for our projects.
codespell
Added to docs and documentation-heavy repositories.
flake8-comprehensions
Added to standard-maintenance-scripts.
safety
We use dependabot instead.