Activity log for bug #1749603

Date Who What changed Old value New value Message
2018-02-14 22:34:57 Matt Bullock bug added bug
2018-02-14 22:36:28 Matt Bullock description First, just to set to tone: I wholeheartedly support the blacklisting of pycrypto; that is a great step that you have taken, and it's awesome to see it canonicalized in the security checks. Unfortunately, because of how the import checks work, anything that is imported and starts with the string "Crypto" triggers the B413 blacklisted import flag. This is problematic for us, as several of our classes start with "Crypto". ex: https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/__init__.py#L166 https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/base.py#L20 Looking through the import check logic[1], I'm wondering if it might also be getting tripped up by relative imports? Error received: [2]. [1] https://github.com/openstack/bandit/blob/bb1bf81856c1467f85ee138b727568d192bd179a/bandit/core/blacklisting.py#L65-L75 [2] Run started:2018-02-14 22:02:58.455051 Test results: >> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library. Severity: High Confidence: High Location: src/aws_encryption_sdk/caches/local.py:22 21 22 from . import CryptoMaterialsCacheEntry 23 from .base import CryptoMaterialsCache -------------------------------------------------- >> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library. Severity: High Confidence: High Location: src/aws_encryption_sdk/caches/null.py:14 13 """Null cache: a cache which does not cache.""" 14 from . import CryptoMaterialsCacheEntry 15 from .base import CryptoMaterialsCache First, just to set the tone: I wholeheartedly support the blacklisting of pycrypto; that is a great step that you have taken, and it's awesome to see it canonicalized in the security checks. Unfortunately, because of how the import checks work, anything that is imported and starts with the string "Crypto" triggers the B413 blacklisted import flag. This is problematic for us, as several of our classes start with "Crypto". ex: https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/__init__.py#L166 https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/base.py#L20 Looking through the import check logic[1], I'm wondering if it might also be getting tripped up by relative imports? Error received: [2]. [1] https://github.com/openstack/bandit/blob/bb1bf81856c1467f85ee138b727568d192bd179a/bandit/core/blacklisting.py#L65-L75 [2] Run started:2018-02-14 22:02:58.455051 Test results: >> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.    Severity: High Confidence: High    Location: src/aws_encryption_sdk/caches/local.py:22 21 22 from . import CryptoMaterialsCacheEntry 23 from .base import CryptoMaterialsCache -------------------------------------------------- >> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.    Severity: High Confidence: High    Location: src/aws_encryption_sdk/caches/null.py:14 13 """Null cache: a cache which does not cache.""" 14 from . import CryptoMaterialsCacheEntry 15 from .base import CryptoMaterialsCache
2018-02-14 23:13:33 jessegler bandit: assignee jessegler (je808k)
2018-02-15 07:12:00 Eric Brown bandit: importance Undecided Medium
2018-02-27 16:58:04 OpenStack Infra bandit: status New Fix Released