Bandit

Strongly Advise Against PyCrypto

Bug #1655973 reported by Ian Cordasco on 2017-01-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	High	Ian Cordasco

Bug Description

PyCrypto's use should be detected and warned against for two reasons:

- The version on PyPI has a publicly disclosed buffer overflow vulnerability: https://github.com/dlitz/pycrypto/issues/176

- The project is not maintained and has been deprecated in favor of pyca/cryptography https://github.com/dlitz/pycrypto/issues/173

This could cause false positives if people install PyCryptodome but I have another issue to write about that project.

Luke Hinds (lhinds) on 2017-09-01

Changed in bandit:
status:	New → Confirmed

Luke Hinds (lhinds) on 2017-10-26

Changed in bandit:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-12: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/530287
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=dc3ff2d91785eee49394bd7c8b9e75ddfb616ea4
Submitter: Zuul
Branch: master

commit dc3ff2d91785eee49394bd7c8b9e75ddfb616ea4
Author: Tin Lam <email address hidden>
Date: Wed Dec 27 21:41:15 2017 -0600

Add pycrypto to blacklist

    This patch set adds pyCrypto to bandit's blacklist, so bandit will
    strongly advise against using pyCrypto. As mentioned in the bug,
    this may cause false positives if people use pyCrytodome, but will be
    tracked and addressed in follow up patch set.

    Depends-On: I0b1a90c3a47ad6d3b18597e5315e9f017854a146
    Change-Id: I81f695cd31dee393ab4530dbcdb20dd925bbece2
    Closes-Bug: #1655973

Changed in bandit:
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.