Add pycrypto to blacklist

This patch set adds pyCrypto to bandit's blacklist, so bandit will strongly advise against using pyCrypto. As mentioned in the bug, this may cause false positives if people use pyCrytodome, but will be tracked and addressed in follow up patch set. Depends-On: I0b1a90c3a47ad6d3b18597e5315e9f017854a146 Change-Id: I81f695cd31dee393ab4530dbcdb20dd925bbece2 Closes-Bug: #1655973
2017-12-27 21:41:15 -06:00 · 2017-12-27 21:41:15 -06:00 · dc3ff2d917
parent 03b390b59b
commit dc3ff2d917
4 changed files with 41 additions and 0 deletions
--- a/bandit/blacklists/imports.py
+++ b/bandit/blacklists/imports.py
@ -179,6 +179,19 @@ at https://httpoxy.org/.
 |      |                     | - twisted.web.twcgi.CGIScript      |           |
 +------+---------------------+------------------------------------+-----------+

+B413: import_pycrypto
+---------------------
+pycrypto library is known to have publicly disclosed buffer overflow
+vulnerability https://github.com/dlitz/pycrypto/issues/176. It is no longer
+actively maintained and has been deprecated in favor of pyca/cryptography
+library.
+
+------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Imports                           |  Severity |
+======+=====================+====================================+===========+
+| B413 | import_pycrypto     | - Crypto                           | high      |
+------+---------------------+------------------------------------+-----------+
+
 """

 from bandit.blacklists import utils
@ -268,4 +281,10 @@ def gen_blacklist():
        '{name} module.', 'HIGH'
        ))

+    sets.append(utils.build_conf_dict(
+        'import_pycrypto', 'B413', ['Crypto'],
+        'The pyCrypto library and its module {name} are no longer actively '
+        'maintained and have been deprecated. '
+        'Consider using pyca/cryptography library.', 'HIGH'))
+
    return {'Import': sets, 'ImportFrom': sets, 'Call': sets}
--- a/examples/pycrypto.py
+++ b/examples/pycrypto.py
@ -0,0 +1,8 @@
+from Crypto.Cipher import AES
+from Crypto import Random
+
+
+def test_pycrypto():
+    key = b'Sixteen byte key'
+    iv = Random.new().read(AES.block_size)
+    cipher = pycrypto_arc2.new(key, AES.MODE_CFB, iv)
--- a/releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml
+++ b/releasenotes/notes/add-pycrypto-warn-c430f40f1d0fb44a.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    PyCrypto library is no longer actively maintained and should be replaced
+    with ``cryptography`` library. A new rule is added to detect and warn the
+    import and use of ``pycrypto`` module.
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@ -705,3 +705,11 @@ class FunctionalTests(testtools.TestCase):
            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 5}
        }
        self.check_example('hashlib_new_insecure_functions.py', expect)
+
+    def test_blacklist_pycrypto(self):
+        '''Test importing pycrypto module'''
+        expect = {
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
+        }
+        self.check_example('pycrypto.py', expect)