tylerwince / flake8-bandit

Automated security testing using bandit and flake8.
MIT License
111 stars 23 forks source link

Different results in different Python versions (S303 vs. S324) #31

Open finswimmer opened 2 years ago

finswimmer commented 2 years ago

Hello,

the following code leads to different error codes, depending on the Python version:

import hashlib

h = hashlib.md5()

Python 3.8:

example.py:3:1: S303 Use of insecure MD2, MD4, MD5, or SHA1 hash function.

Python 3.9:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

Python 3.10:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

The installed package versions seems to be equal:

$ python --version
Python 3.8.10

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.8.10 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pkg_resources   0.0.0
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0
$ python --version
Python 3.9.1

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.9.1 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0
$ python --version           
Python 3.10.2

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.10.2 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

Any idea what's going on here? Is it a flake8-bandit issue or a bandit one?

Thanks a lot!

fin swimmer

finswimmer commented 2 years ago

In Python 3.9 and later, the hashlib function has a new keyword argument usedforsecurity to describe the usage of the hash. In that way, we can better identify the severity of the error.

https://github.com/PyCQA/bandit/pull/805

So I'm afraid there will be no way to get the same result for Python >=3.9 and <3.9, beside pinning bandit/flake8-bandit to an older version?