Bandit

Check for PyCryptodome and PyCryptodomex in weak key plugin

Bug #1655975 reported by Ian Cordasco on 2017-01-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	Undecided	Ian Cordasco

Bug Description

With PyCrypto unmaintained, hostile forks are present - the most prominent of which is PyCryptodome (https://github.com/Legrandin/pycryptodome).

This project has two installable PyPI targets:

- PyCryptodome
- PyCryptodomex

The former provides a drop in replacement for PyCrytpo so we should be able to catch imports using the existing plugin (import Crypto).

The latter provides a different module: Cryptodome which provides similar functionality but under a new name. This should be added to the weak key check.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-01-13: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/419799
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=d4e213445aa4e5860936faf50f570fe00bdd0a44
Submitter: Jenkins
Branch: master

commit d4e213445aa4e5860936faf50f570fe00bdd0a44
Author: Eric Brown <email address hidden>
Date: Thu Jan 12 23:53:24 2017 -0800

Add Cryptodome to blacklist and weak ciphers/hash

    As stated in the bug, the PyCryptodomex package reintroduces
    PyCrypto, but with a different namespace. Therefore Bandit should
    also include Cryptodome in its checks.

Change-Id: I6a02f97747420cedfb4523917ea0083ed5792d7a
Closes-Bug: #1655975

Changed in bandit:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.