StarlingX

update repo: Bandit code scan report of high severity security vulnerability

Bug #1875563 reported by sharath kumar on 2020-04-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Triaged	Low	Unassigned

Bug Description

>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_make_patch/make_patch_functions.py:1463
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
     print("CMD: %s" % cmd)
     rc = subprocess.call(cmd, shell=True)
     if rc != 0:

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_make_patch/make_patch_functions.py:1473
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
     print("CMD: %s" % cmd)
     rc = subprocess.call(cmd, shell=True)
     if rc != 0:

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_make_patch/make_patch_functions.py:1482
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
     print("CMD: %s" % cmd)
     rc = subprocess.call(cmd, shell=True)
     return rc

--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/base.py:158
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
         try:
             result = subprocess.check_output(cmd, shell=True)

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module PKCS1_PSS are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_signing.py:9
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
        import os
from Crypto.Signature import PKCS1_PSS
from Crypto.Hash import SHA256

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module SHA256 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_signing.py:10
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
from Crypto.Signature import PKCS1_PSS
from Crypto.Hash import SHA256
from Crypto.PublicKey import RSA # pylint: disable=unused-import

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module RSA are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_signing.py:11
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
from Crypto.Hash import SHA256
from Crypto.PublicKey import RSA # pylint: disable=unused-import
from Crypto.Util.asn1 import DerSequence # pylint: disable=unused-import

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module DerSequence are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_signing.py:12
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
from Crypto.PublicKey import RSA # pylint: disable=unused-import
from Crypto.Util.asn1 import DerSequence # pylint: disable=unused-import
from binascii import a2b_base64 # pylint: disable=unused-import

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module PKCS1_v1_5 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_verify.py:11
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto

from Crypto.Signature import PKCS1_v1_5
from Crypto.Signature import PKCS1_PSS

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module PKCS1_PSS are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_verify.py:12
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
from Crypto.Signature import PKCS1_v1_5
from Crypto.Signature import PKCS1_PSS
from Crypto.Hash import SHA256

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module SHA256 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_verify.py:13
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
from Crypto.Signature import PKCS1_PSS
        from Crypto.Hash import SHA256
from Crypto.PublicKey import RSA

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module RSA are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_verify.py:14
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
from Crypto.Hash import SHA256
from Crypto.PublicKey import RSA
from Crypto.Util.asn1 import DerSequence

--------------------------------------------------
>> Issue: [B413:blacklist] The pyCrypto library and its module DerSequence are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
   Severity: High Confidence: High
   Location: ./update/cgcs-patch/cgcs-patch/cgcs_patch/patch_verify.py:15
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto
from Crypto.PublicKey import RSA
from Crypto.Util.asn1 import DerSequence
from binascii import a2b_base64

Tags:

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2020-05-09:

The priority of addressing bandit findings need to be discussed with the TSC. At this time, this work is unplanned.

Changed in starlingx:
status:	New → Triaged
importance:	Undecided → Low
tags:	added: stx.tools

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.