import blacklisting false positive for prefix matches
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Fix Released
|
Medium
|
jessegler |
Bug Description
First, just to set the tone: I wholeheartedly support the blacklisting of pycrypto; that is a great step that you have taken, and it's awesome to see it canonicalized in the security checks.
Unfortunately, because of how the import checks work, anything that is imported and starts with the string "Crypto" triggers the B413 blacklisted import flag. This is problematic for us, as several of our classes start with "Crypto".
ex:
https:/
https:/
Looking through the import check logic[1], I'm wondering if it might also be getting tripped up by relative imports? Error received: [2].
[2]
Run started:2018-02-14 22:02:58.455051
Test results:
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterials
Severity: High Confidence: High
Location: src/aws_
21
22 from . import CryptoMaterials
23 from .base import CryptoMaterials
-------
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterials
Severity: High Confidence: High
Location: src/aws_
13 """Null cache: a cache which does not cache."""
14 from . import CryptoMaterials
15 from .base import CryptoMaterials
description: | updated |
Changed in bandit: | |
assignee: | nobody → jessegler (je808k) |
Changed in bandit: | |
importance: | Undecided → Medium |
Reviewed: https:/ /review. openstack. org/545738 /git.openstack. org/cgit/ openstack/ bandit/ commit/ ?id=91a796b805b e34332054a9b544 8914093b1a3395
Committed: https:/
Submitter: Zuul
Branch: master
commit 91a796b805be343 32054a9b5448914 093b1a3395
Author: Tin Lam <email address hidden>
Date: Sun Feb 18 00:36:37 2018 -0600
Fix false positives for pyCrypto
This patch set fixes an issue where modules whose names begin with
string ``Crypto`` are incorrectly flagged for pyCrypto imports. The
fix will now explicitly calls out pyCrypto module one sub-level to
avoid the false positives.
Change-Id: Iafd3fae2fc7a13 a0a93800ee570c4 e1354be1391
Closes-Bug: #1749603
Signed-off-by: Tin Lam <email address hidden>