Merge "Allow config for high and medium severity key sizes"

bandit/plugins/weak_cryptographic_key.py

@@ -50,15 +50,30 @@ import bandit
 from bandit.core import test_properties as test
 
 
-def _classify_key_size(key_type, key_size):
+def gen_config(name):
+    if name == 'weak_cryptographic_key':
+        return {
+            'weak_key_size_dsa_high': 1024,
+            'weak_key_size_dsa_medium': 2048,
+            'weak_key_size_rsa_high': 1024,
+            'weak_key_size_rsa_medium': 2048,
+            'weak_key_size_ec_high': 160,
+            'weak_key_size_ec_medium': 224,
+        }
+
+
+def _classify_key_size(config, key_type, key_size):
     if isinstance(key_size, str):
         # size provided via a variable - can't process it at the moment
         return
 
     key_sizes = {
-        'DSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
-        'RSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
-        'EC': [(160, bandit.HIGH), (224, bandit.MEDIUM)],
+        'DSA': [(config['weak_key_size_dsa_high'], bandit.HIGH),
+                (config['weak_key_size_dsa_medium'], bandit.MEDIUM)],
+        'RSA': [(config['weak_key_size_rsa_high'], bandit.HIGH),
+                (config['weak_key_size_rsa_medium'], bandit.MEDIUM)],
+        'EC': [(config['weak_key_size_ec_high'], bandit.HIGH),
+               (config['weak_key_size_ec_medium'], bandit.MEDIUM)],
     }
 
     for size, level in key_sizes[key_type]:
@@ -70,7 +85,7 @@ def _classify_key_size(key_type, key_size):
                 (key_type, size))
 
 
-def _weak_crypto_key_size_cryptography_io(context):
+def _weak_crypto_key_size_cryptography_io(context, config):
     func_key_type = {
         'cryptography.hazmat.primitives.asymmetric.dsa.'
         'generate_private_key': 'DSA',
@@ -89,7 +104,7 @@ def _weak_crypto_key_size_cryptography_io(context):
         key_size = (context.get_call_arg_value('key_size') or
                     context.get_call_arg_at_position(arg_position[key_type]) or
                     2048)
-        return _classify_key_size(key_type, key_size)
+        return _classify_key_size(config, key_type, key_size)
     elif key_type == 'EC':
         curve_key_sizes = {
             'SECP192R1': 192,
@@ -99,10 +114,10 @@ def _weak_crypto_key_size_cryptography_io(context):
         curve = (context.get_call_arg_value('curve') or
                  context.call_args[arg_position[key_type]])
         key_size = curve_key_sizes[curve] if curve in curve_key_sizes else 224
-        return _classify_key_size(key_type, key_size)
+        return _classify_key_size(config, key_type, key_size)
 
 
-def _weak_crypto_key_size_pycrypto(context):
+def _weak_crypto_key_size_pycrypto(context, config):
     func_key_type = {
         'Crypto.PublicKey.DSA.generate': 'DSA',
         'Crypto.PublicKey.RSA.generate': 'RSA',
@@ -114,11 +129,12 @@ def _weak_crypto_key_size_pycrypto(context):
         key_size = (context.get_call_arg_value('bits') or
                     context.get_call_arg_at_position(0) or
                     2048)
-        return _classify_key_size(key_type, key_size)
+        return _classify_key_size(config, key_type, key_size)
 
 
+@test.takes_config
 @test.checks('Call')
 @test.test_id('B505')
-def weak_cryptographic_key(context):
-    return (_weak_crypto_key_size_cryptography_io(context) or
-            _weak_crypto_key_size_pycrypto(context))
+def weak_cryptographic_key(context, config):
+    return (_weak_crypto_key_size_cryptography_io(context, config) or
+            _weak_crypto_key_size_pycrypto(context, config))