Security Tools
Overview
The pipeline includes automated security tools to aid in code reviews. These tools scan for common vulnerabilities and security issues, providing feedback before code is merged.
Bandit Security Scan
Bandit is an open source security linter for Python. It scans Python code for common security issues such as hardcoded passwords, SQL injection, and insecure function calls.
Pipeline Configuration
The bandit-security-scan job runs on merge requests with the following settings:
Scans all Python files recursively
Excludes
.envand.cachedirectoriesSkips B101 (assert statements) to reduce noise
Produces
bandit-report.jsonartifactAllowed to fail (does not block merge)
Review Buddy
Review Buddy is a tool built by the SDK team to identify common security issues and Q2-specific bad practices. It also tracks cache usage, extension types, and user input throughout the code to provide additional context during code reviews.
High Severity Rules
Rule |
Mitigation |
|---|---|
Requirements with known issues |
Upgrade the flagged package to a newer version that addresses the known issues. |
Minimum SDK version check |
Upgrade q2-sdk version >= 2.257.0 in requirements.txt. |
SQL files |
All SQL changes must be reviewed by the SDK team. For guidelines on custom sql, read up here: https://docs.q2developer.com/guides/database/custom_sql.html |
Javascript: eval() function |
Q2 does not allow the use of eval() in Javascript for security reasons. Please use a different implementation |
Filesystem interaction |
We suggest using https://docs.q2developer.com/api_references/q2_sdk/core/q2_open.html#module-q2_sdk.core.q2_open |
Python: exec() and eval() |
Q2 does not allow the use of exec or eval in python code for security reasons. Please use a different implementation |
Python: global keyword |
Refactor to use function parameters and return values instead of global variables. |
Possible XSS attack vectors |
Ensure all user input is sanitized before using innerHTML/insertAdjacentHTML to prevent XSS attacks. |
Javascript: document.createElement(‘script’) |
Use static <script src=’…’ integrity=’…’> tags instead of dynamically creating scripts. |
Python: sys.exit() |
Use exception handling instead of sys.exit(). |
Usage of self.application |
self.application in tornado can inadvertantly lead to memory sharing across requests and is therefore disallowed. Perhaps rely on self.cache instead. |
Medium Severity Rules
Rule |
Mitigation |
|---|---|
Python: logger.error() inside exception block |
Use logger.exception() or logger.error(…, exc_info=True) to include the full traceback. |
Suggested WedgeOnlineBanking imports |
|
Python: Tracking cache usage in repo |
|
Legacy platform interactions |
|
Environment variable interaction |
We recommend using configuration files instead of os.environ for sensitive values. |
Parent window access |
We recommend using window.Tecton |
Javascript: Script imports without integrity values |
Add integrity=’sha384-…’ attribute to external script tags. Generate hashes at https://www.srihash.org/ |
time.sleep() |
Prefer using asyncio.sleep() for async code or implement proper retry/backoff patterns. |
Python: Check for skipped ssl verification. Can be allowed depending on reasoning |
Please provide reasons for disabling SSL verification in your merge request description. |
Low Severity Rules
Rule |
Mitigation |
|---|---|
Javascript: setInterval and setTimeout |
|
HTML: <a> tag or JavaScript calling openURL |
|
Javascript: console.log() |
Consider using console.debug instead of console.log |
Usage of 100vh |
|
Nested iframe usage |
|
Usage of q2-action-sheet |
|
Usage of q2-modal |
|
Usage of q2-option-list |
|
Usage of q2-popover |
|
Usage of q2-toast |
|
Usage of stencil-hydrated class |
Context Tracking
Tracking classes in repo
Python: Tracking user input access
Tracking third party cache usage in repo