pySCG: updated to scope addressing Davids feedback, fixed formatting #710
Conversation
…ted wording and fixed formatting Signed-off-by: Helge Wehder <helge.wehder@ericsson.com>
Signed-off-by: Helge Wehder <helge.wehder@ericsson.com>
Signed-off-by: Helge Wehder <helge.wehder@ericsson.com>
| Common Weakness Enamurator (CWE) [Pillar Weakness](https://cwe.mitre.org/documents/glossary/#Pillar%20Weakness) [mitre.org 2023]. | ||
|
|
||
| Some rules only contain code examples, documentation will follow. | ||
| Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)], languages such as `HTML` and `JavaScript` are avoided. |
There was a problem hiding this comment.
| Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)], languages such as `HTML` and `JavaScript` are avoided. | |
| Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are not specifically covered by this document. We do sometimes note where outside modules are necessary to address a type of vulnerability, and encourage users of those modules to consult those modules' documentation. |
There was a problem hiding this comment.
The note about HTML & JavaScript isn't really the issue. The point is that this document only discusses the built-in modules. Presumably JSON would be in scope, because there's a built-in module for JSON.
There was a problem hiding this comment.
@david-a-wheeler , the background story to this learning resource is that we have designers spending 40 hours going through a ton of text to learn secure coding in languages such as JAVA. Any chance we can shorten that sentence?
There was a problem hiding this comment.
| Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)], languages such as `HTML` and `JavaScript` are avoided. | |
| Python modules outside of the _Python Module Index_ [[Python 2023](https://docs.python.org/3.9/py-modindex.html)] are not specifically covered by this document. |
There was a problem hiding this comment.
How about this? The issue isn't really HTML (there's an html module in Python's built-ins) - it's that this particular document only focuses on the built-ins.
There was a problem hiding this comment.
Much better thank you.
Since I am not native English speaking I struggle to understand the difference between "avoiding" and "not specifically covered". We try our best to only list "inclusions" in order to have ever expanding lists of "exclusions". Not sure how to best phrase that in this introduction.
We are missing a contribution document, I will get onto creating that. In it I would outline the following in regards to explaining why we avoid modules outside of the standard lib:
- Code examples may end up as module recommendations "just use..."
- Actual issue is not explained in code.
- Don't want to end up writing module documentation, bug-fixes or workarounds.
- Life Cycle related issues
- Trust related issues
We also want to keep the main pySCG readme.md look "inviting" with a minimum of content and links in its introduction section.
As per SIG meeting Dec 16, addressing our unclear scope in our introduction of the main readme.md.
Removed some duplicated and long winded wording.
Fixed links and references.
Fixed formatting issues.