Skip key checks where size is not constant

Bandit cannot infer the value of local variables yet, so the key size test will fail when the size is not a constant. Ignore those lines for now. Change-Id: If0320ab5cb36592e61fc9cf03b2d230c381e2698 Closes-bug: 1546802
2016-08-15 16:39:18 +10:00 · 2016-08-15 16:39:18 +10:00 · bc20167599
parent df86344e75
commit bc20167599
2 changed files with 9 additions and 0 deletions
--- a/bandit/plugins/weak_cryptographic_key.py
+++ b/bandit/plugins/weak_cryptographic_key.py
@ -51,6 +51,10 @@ from bandit.core import test_properties as test


 def _classify_key_size(key_type, key_size):
+    if isinstance(key_size, str):
+        # size provided via a variable - can't process it at the moment
+        return
+
    key_sizes = {
        'DSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
        'RSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
--- a/examples/weak_cryptographic_key_sizes.py
+++ b/examples/weak_cryptographic_key_sizes.py
@ -45,3 +45,8 @@ rsa.generate_private_key(3,
                         backends.default_backend())
 DSA.generate(512)
 RSA.generate(512)
+
+# Don't crash when the size is variable
+rsa.generate_private_key(public_exponent=65537,
+                         key_size=some_key_size,
+                         backend=backends.default_backend())