Fix false positives for pyCrypto

This patch set fixes an issue where modules whose names begin with string ``Crypto`` are incorrectly flagged for pyCrypto imports. The fix will now explicitly calls out pyCrypto module one sub-level to avoid the false positives. Change-Id: Iafd3fae2fc7a13a0a93800ee570c4e1354be1391 Closes-Bug: #1749603 Signed-off-by: Tin Lam <tin@irrational.io>
2018-02-18 00:36:37 -06:00 · 2018-02-18 00:36:37 -06:00 · 91a796b805
commit 91a796b805
parent 6fd7fccf70
2 changed files with 20 additions and 2 deletions
--- a/bandit/blacklists/imports.py
+++ b/bandit/blacklists/imports.py
@ -189,7 +189,14 @@ library.
 +------+---------------------+------------------------------------+-----------+
 | ID   |  Name               |  Imports                           |  Severity |
 +======+=====================+====================================+===========+
-| B413 | import_pycrypto     | - Crypto                           | high      |
+| B413 | import_pycrypto     | - Crypto.Cipher                    | high      |
+|      |                     | - Crypto.Hash                      |           |
+|      |                     | - Crypto.IO                        |           |
+|      |                     | - Crypto.Protocol                  |           |
+|      |                     | - Crypto.PublicKey                 |           |
+|      |                     | - Crypto.Random                    |           |
+|      |                     | - Crypto.Signature                 |           |
+|      |                     | - Crypto.Util                      |           |
 +------+---------------------+------------------------------------+-----------+

 """
@ -282,7 +289,15 @@ def gen_blacklist():
        ))

    sets.append(utils.build_conf_dict(
-        'import_pycrypto', 'B413', ['Crypto'],
+        'import_pycrypto', 'B413',
+        ['Crypto.Cipher',
+         'Crypto.Hash',
+         'Crypto.IO',
+         'Crypto.Protocol',
+         'Crypto.PublicKey',
+         'Crypto.Random',
+         'Crypto.Signature',
+         'Crypto.Util'],
        'The pyCrypto library and its module {name} are no longer actively '
        'maintained and have been deprecated. '
        'Consider using pyca/cryptography library.', 'HIGH'))
--- a/examples/pycrypto.py
+++ b/examples/pycrypto.py
@ -1,8 +1,11 @@
 from Crypto.Cipher import AES
 from Crypto import Random

+from . import CryptoMaterialsCacheEntry
+

 def test_pycrypto():
    key = b'Sixteen byte key'
    iv = Random.new().read(AES.block_size)
    cipher = pycrypto_arc2.new(key, AES.MODE_CFB, iv)
+    factory = CryptoMaterialsCacheEntry()