2018-02-14 22:36:28 |
Matt Bullock |
description |
First, just to set to tone: I wholeheartedly support the blacklisting of pycrypto; that is a great step that you have taken, and it's awesome to see it canonicalized in the security checks.
Unfortunately, because of how the import checks work, anything that is imported and starts with the string "Crypto" triggers the B413 blacklisted import flag. This is problematic for us, as several of our classes start with "Crypto".
ex:
https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/__init__.py#L166
https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/base.py#L20
Looking through the import check logic[1], I'm wondering if it might also be getting tripped up by relative imports? Error received: [2].
[1] https://github.com/openstack/bandit/blob/bb1bf81856c1467f85ee138b727568d192bd179a/bandit/core/blacklisting.py#L65-L75
[2]
Run started:2018-02-14 22:02:58.455051
Test results:
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: src/aws_encryption_sdk/caches/local.py:22
21
22 from . import CryptoMaterialsCacheEntry
23 from .base import CryptoMaterialsCache
--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: src/aws_encryption_sdk/caches/null.py:14
13 """Null cache: a cache which does not cache."""
14 from . import CryptoMaterialsCacheEntry
15 from .base import CryptoMaterialsCache |
First, just to set the tone: I wholeheartedly support the blacklisting of pycrypto; that is a great step that you have taken, and it's awesome to see it canonicalized in the security checks.
Unfortunately, because of how the import checks work, anything that is imported and starts with the string "Crypto" triggers the B413 blacklisted import flag. This is problematic for us, as several of our classes start with "Crypto".
ex:
https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/__init__.py#L166
https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/base.py#L20
Looking through the import check logic[1], I'm wondering if it might also be getting tripped up by relative imports? Error received: [2].
[1] https://github.com/openstack/bandit/blob/bb1bf81856c1467f85ee138b727568d192bd179a/bandit/core/blacklisting.py#L65-L75
[2]
Run started:2018-02-14 22:02:58.455051
Test results:
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: src/aws_encryption_sdk/caches/local.py:22
21
22 from . import CryptoMaterialsCacheEntry
23 from .base import CryptoMaterialsCache
--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: src/aws_encryption_sdk/caches/null.py:14
13 """Null cache: a cache which does not cache."""
14 from . import CryptoMaterialsCacheEntry
15 from .base import CryptoMaterialsCache |
|