Oh I see that now, good point. I guess I just got excited about more incentives to use the ORM.
On Mon, Dec 17, 2018 at 5:38 PM Ben O'Steen <bost...@gmail.com> wrote: > It is flagging that the string formatting method is being used to > construct a SQL query, rather than a method that might escape or encode > parameters that may have SQL side-effects. > > Ben > > On Mon, 17 Dec 2018 at 15:35, Adam Cox <mr.adam...@gmail.com> wrote: > >> Thanks for sharing those results Ben. A number of the issues raised there >> are also a matter of best practices not being followed (like using >> non-typed try/except/pass blocks, or calling os.system) so it's good to see >> them flagged. Also, though it would be really nice to get away from raw SQL >> and rely more on the ORM, looking through those results I think that the >> SQL may be the trickiest to remedy. At any rate, a very good roadmap for an >> initial security update. >> >> Adam >> >> On Mon, Dec 17, 2018 at 5:07 PM Ben O'Steen <bost...@gmail.com> wrote: >> >>> I ran the project through the Bandit 'security linter' which flagged up >>> a number of small issues https://pypi.org/project/bandit/ I've attached >>> the result of this in case it is of interest (run on 4.3.1 so obviously run >>> it against whatever you plan to deploy). >>> >>> It is just one tool to use to help gauge the relatively security of an >>> app though. Fuzzing and django-tailored attacks should also be tried. >>> >>> Ben >>> >>> >>> On Mon, 17 Dec 2018 at 14:55, Adam Cox <mr.adam...@gmail.com> wrote: >>> >>>> Hi John, I have not had a security audit either, and would be very >>>> interested in the results. I do have a pending deployment for the Bureau of >>>> Land Management which will most likely require an audit, so I'm expecting >>>> to do some prep work on Arches for that at some point. >>>> >>>> On Mon, Dec 17, 2018 at 5:14 AM Vincent Meijer < >>>> meijer.vinc...@gmail.com> wrote: >>>> >>>>> Hi John, >>>>> >>>>> I haven't heard of anyone doing a security audit for Arches, but if so >>>>> I would also be quite interested in hearing about it. >>>>> >>>>> Best, >>>>> Vincent >>>>> >>>>> On Monday, 17 December 2018 10:49:03 UTC+1, John Murphy wrote: >>>>>> >>>>>> Good morning everyone! >>>>>> >>>>>> I was wondering if has anyone has had to commission a security audit >>>>>> of Arches yet and, if so, what have your experiences been? Our corporate >>>>>> IT >>>>>> are going to require one before they allow me to set this loose on our >>>>>> network and it would be good to know what I need to look out for. >>>>>> >>>>>> Many thanks, >>>>>> >>>>>> John >>>>>> >>>>> -- >>>>> -- To post, send email to archesproject@googlegroups.com. To >>>>> unsubscribe, send email to archesproject+unsubscr...@googlegroups.com. >>>>> For more information, visit >>>>> https://groups.google.com/d/forum/archesproject?hl=en >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Arches Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to archesproject+unsubscr...@googlegroups.com. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>>> -- To post, send email to archesproject@googlegroups.com. To >>>> unsubscribe, send email to archesproject+unsubscr...@googlegroups.com. >>>> For more information, visit >>>> https://groups.google.com/d/forum/archesproject?hl=en >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Arches Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to archesproject+unsubscr...@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- -- To post, send email to archesproject@googlegroups.com. To unsubscribe, send email to archesproject+unsubscr...@googlegroups.com. For more information, visit https://groups.google.com/d/forum/archesproject?hl=en --- You received this message because you are subscribed to the Google Groups "Arches Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to archesproject+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
