Strongly Advise Against PyCrypto
Bug #1655973 reported by
Ian Cordasco
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
High
|
Ian Cordasco |
Bug Description
PyCrypto's use should be detected and warned against for two reasons:
- The version on PyPI has a publicly disclosed buffer overflow vulnerability: https:/
- The project is not maintained and has been deprecated in favor of pyca/cryptography https:/
This could cause false positives if people install PyCryptodome but I have another issue to write about that project.
Changed in bandit: | |
status: | New → Confirmed |
Changed in bandit: | |
importance: | Undecided → High |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/530287 /git.openstack. org/cgit/ openstack/ bandit/ commit/ ?id=dc3ff2d9178 5eee49394bd7c8b 9e75ddfb616ea4
Committed: https:/
Submitter: Zuul
Branch: master
commit dc3ff2d91785eee 49394bd7c8b9e75 ddfb616ea4
Author: Tin Lam <email address hidden>
Date: Wed Dec 27 21:41:15 2017 -0600
Add pycrypto to blacklist
This patch set adds pyCrypto to bandit's blacklist, so bandit will
strongly advise against using pyCrypto. As mentioned in the bug,
this may cause false positives if people use pyCrytodome, but will be
tracked and addressed in follow up patch set.
Depends-On: I0b1a90c3a47ad6 d3b18597e5315e9 f017854a146 93ab4530dbcdb20 dd925bbece2
Change-Id: I81f695cd31dee3
Closes-Bug: #1655973