Bandit

import blacklisting false positive for prefix matches

Bug #1749603 reported by Matt Bullock on 2018-02-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	Medium	jessegler

Bug Description

First, just to set the tone: I wholeheartedly support the blacklisting of pycrypto; that is a great step that you have taken, and it's awesome to see it canonicalized in the security checks.

Unfortunately, because of how the import checks work, anything that is imported and starts with the string "Crypto" triggers the B413 blacklisted import flag. This is problematic for us, as several of our classes start with "Crypto".

ex:
https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/__init__.py#L166
https://github.com/awslabs/aws-encryption-sdk-python/blob/master/src/aws_encryption_sdk/caches/base.py#L20

Looking through the import check logic[1], I'm wondering if it might also be getting tripped up by relative imports? Error received: [2].

[1] https://github.com/openstack/bandit/blob/bb1bf81856c1467f85ee138b727568d192bd179a/bandit/core/blacklisting.py#L65-L75

[2]
Run started:2018-02-14 22:02:58.455051

Test results:
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: src/aws_encryption_sdk/caches/local.py:22
21
22 from . import CryptoMaterialsCacheEntry
23 from .base import CryptoMaterialsCache

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module CryptoMaterialsCacheEntry are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
Severity: High Confidence: High
Location: src/aws_encryption_sdk/caches/null.py:14
13 """Null cache: a cache which does not cache."""
14 from . import CryptoMaterialsCacheEntry
15 from .base import CryptoMaterialsCache

See original description

Matt Bullock (mattsb42-aws) on 2018-02-14

description:

updated

jessegler (je808k) on 2018-02-14

Changed in bandit:
assignee:	nobody → jessegler (je808k)

Eric Brown (ericwb) on 2018-02-15

Changed in bandit:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-27: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/545738
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=91a796b805be34332054a9b5448914093b1a3395
Submitter: Zuul
Branch: master

commit 91a796b805be34332054a9b5448914093b1a3395
Author: Tin Lam <email address hidden>
Date: Sun Feb 18 00:36:37 2018 -0600

Fix false positives for pyCrypto

    This patch set fixes an issue where modules whose names begin with
    string ``Crypto`` are incorrectly flagged for pyCrypto imports. The
    fix will now explicitly calls out pyCrypto module one sub-level to
    avoid the false positives.

    Change-Id: Iafd3fae2fc7a13a0a93800ee570c4e1354be1391
    Closes-Bug: #1749603
    Signed-off-by: Tin Lam <email address hidden>

Changed in bandit:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.