Allow config for high and medium severity key sizes
The severity level of various key sizes of RSA, DSA, and EC are currently hard-coded in the weak_cryptographic_key.py itself. This patch allows the values to be overriden via the config file mechanism. Change-Id: I38ad5384e0e6012818bbac10f449840de6fb14ed
This commit is contained in:
parent
32b4714562
commit
4cf3af7d4c
|
@ -50,15 +50,30 @@ import bandit
|
|||
from bandit.core import test_properties as test
|
||||
|
||||
|
||||
def _classify_key_size(key_type, key_size):
|
||||
def gen_config(name):
|
||||
if name == 'weak_cryptographic_key':
|
||||
return {
|
||||
'weak_key_size_dsa_high': 1024,
|
||||
'weak_key_size_dsa_medium': 2048,
|
||||
'weak_key_size_rsa_high': 1024,
|
||||
'weak_key_size_rsa_medium': 2048,
|
||||
'weak_key_size_ec_high': 160,
|
||||
'weak_key_size_ec_medium': 224,
|
||||
}
|
||||
|
||||
|
||||
def _classify_key_size(config, key_type, key_size):
|
||||
if isinstance(key_size, str):
|
||||
# size provided via a variable - can't process it at the moment
|
||||
return
|
||||
|
||||
key_sizes = {
|
||||
'DSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
|
||||
'RSA': [(1024, bandit.HIGH), (2048, bandit.MEDIUM)],
|
||||
'EC': [(160, bandit.HIGH), (224, bandit.MEDIUM)],
|
||||
'DSA': [(config['weak_key_size_dsa_high'], bandit.HIGH),
|
||||
(config['weak_key_size_dsa_medium'], bandit.MEDIUM)],
|
||||
'RSA': [(config['weak_key_size_rsa_high'], bandit.HIGH),
|
||||
(config['weak_key_size_rsa_medium'], bandit.MEDIUM)],
|
||||
'EC': [(config['weak_key_size_ec_high'], bandit.HIGH),
|
||||
(config['weak_key_size_ec_medium'], bandit.MEDIUM)],
|
||||
}
|
||||
|
||||
for size, level in key_sizes[key_type]:
|
||||
|
@ -70,7 +85,7 @@ def _classify_key_size(key_type, key_size):
|
|||
(key_type, size))
|
||||
|
||||
|
||||
def _weak_crypto_key_size_cryptography_io(context):
|
||||
def _weak_crypto_key_size_cryptography_io(context, config):
|
||||
func_key_type = {
|
||||
'cryptography.hazmat.primitives.asymmetric.dsa.'
|
||||
'generate_private_key': 'DSA',
|
||||
|
@ -89,7 +104,7 @@ def _weak_crypto_key_size_cryptography_io(context):
|
|||
key_size = (context.get_call_arg_value('key_size') or
|
||||
context.get_call_arg_at_position(arg_position[key_type]) or
|
||||
2048)
|
||||
return _classify_key_size(key_type, key_size)
|
||||
return _classify_key_size(config, key_type, key_size)
|
||||
elif key_type == 'EC':
|
||||
curve_key_sizes = {
|
||||
'SECP192R1': 192,
|
||||
|
@ -99,10 +114,10 @@ def _weak_crypto_key_size_cryptography_io(context):
|
|||
curve = (context.get_call_arg_value('curve') or
|
||||
context.call_args[arg_position[key_type]])
|
||||
key_size = curve_key_sizes[curve] if curve in curve_key_sizes else 224
|
||||
return _classify_key_size(key_type, key_size)
|
||||
return _classify_key_size(config, key_type, key_size)
|
||||
|
||||
|
||||
def _weak_crypto_key_size_pycrypto(context):
|
||||
def _weak_crypto_key_size_pycrypto(context, config):
|
||||
func_key_type = {
|
||||
'Crypto.PublicKey.DSA.generate': 'DSA',
|
||||
'Crypto.PublicKey.RSA.generate': 'RSA',
|
||||
|
@ -114,11 +129,12 @@ def _weak_crypto_key_size_pycrypto(context):
|
|||
key_size = (context.get_call_arg_value('bits') or
|
||||
context.get_call_arg_at_position(0) or
|
||||
2048)
|
||||
return _classify_key_size(key_type, key_size)
|
||||
return _classify_key_size(config, key_type, key_size)
|
||||
|
||||
|
||||
@test.takes_config
|
||||
@test.checks('Call')
|
||||
@test.test_id('B505')
|
||||
def weak_cryptographic_key(context):
|
||||
return (_weak_crypto_key_size_cryptography_io(context) or
|
||||
_weak_crypto_key_size_pycrypto(context))
|
||||
def weak_cryptographic_key(context, config):
|
||||
return (_weak_crypto_key_size_cryptography_io(context, config) or
|
||||
_weak_crypto_key_size_pycrypto(context, config))
|
||||
|
|
Loading…
Reference in New Issue