Check for PyCryptodome and PyCryptodomex in weak key plugin
Bug #1655975 reported by
Ian Cordasco
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
Undecided
|
Ian Cordasco |
Bug Description
With PyCrypto unmaintained, hostile forks are present - the most prominent of which is PyCryptodome (https:/
This project has two installable PyPI targets:
- PyCryptodome
- PyCryptodomex
The former provides a drop in replacement for PyCrytpo so we should be able to catch imports using the existing plugin (import Crypto).
The latter provides a different module: Cryptodome which provides similar functionality but under a new name. This should be added to the weak key check.
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/419799 /git.openstack. org/cgit/ openstack/ bandit/ commit/ ?id=d4e213445aa 4e5860936faf50f 570fe00bdd0a44
Committed: https:/
Submitter: Jenkins
Branch: master
commit d4e213445aa4e58 60936faf50f570f e00bdd0a44
Author: Eric Brown <email address hidden>
Date: Thu Jan 12 23:53:24 2017 -0800
Add Cryptodome to blacklist and weak ciphers/hash
As stated in the bug, the PyCryptodomex package reintroduces
PyCrypto, but with a different namespace. Therefore Bandit should
also include Cryptodome in its checks.
Change-Id: I6a02f97747420c edfb4523917ea00 83ed5792d7a
Closes-Bug: #1655975