Reply to post: Not security issues

About half of Python libraries in PyPI may have security issues, boffins say


Not security issues

Bad code patterns are not vulnerabilities.

Take using pass or continue as a catchall in except. Its mostly bad for non-security reasons (silent failures are not visible to the user and difficult to debug).

They have used a tool that finds potential issues, not vulnerabilities. They have no indication of how many issues have been reviewed by the develoerps who decided they were fine. For example, I use Django mark_safe quite often. Its essential to allow some things such as rich text editing in a Django based CMS (which is why it exists), and is absolutely fine to use on trusted (sometimes because it has been processed to be safe) input. Similarly hardcoded SQL may be using trusted or sanitised sources (very easy to escape your inputs with most libraries).

What would be intersting would be to see the numbers for issues that are high confidence and at least medium severaity. Even better if we could see whether more popular packages are better (i.e. does many eyeballs work or are people selective in what they use).

Intesresting that Google's code is so bad! (If the article not corected yet, the package is unofficial, but the code is Google's).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022