Skip to content

Commit

Permalink
Inaccurate message in hashlib check (#827)
Browse files Browse the repository at this point in the history 
The hashlib function does not actually check for md2 as the docs
and message claims. Besides, md2 is a very old hash not found in
any Python 3.x version we support.

Signed-off-by: Eric Brown <browne@vmware.com>
  • Loading branch information
@ericwb
ericwb committed Feb 26, 2022
1 parent 8bad6fa commit 09a6ace
Showing 1 changed file with 6 additions and 7 deletions.
13 changes: 6 additions & 7 deletions bandit/plugins/hashlib_insecure_functions.py
View file
Expand Up @@ -19,7 +19,7 @@
:Example:
>> Issue: [B324:hashlib] Use of weak MD2, MD4, MD5, or SHA1 hash for
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for
security. Consider usedforsecurity=False
Severity: High Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Expand Down Expand Up @@ -62,8 +62,8 @@ def _hashlib_func(context):
severity=bandit.HIGH,
confidence=bandit.HIGH,
cwe=issue.Cwe.BROKEN_CRYPTO,
text="Use of weak MD2, MD4, MD5, or SHA1 hash "
"for security. Consider usedforsecurity=False",
text="Use of weak MD4, MD5, or SHA1 hash for "
"security. Consider usedforsecurity=False",
lineno=context.node.lineno,
)
elif func == "new":
Expand All @@ -78,8 +78,8 @@ def _hashlib_func(context):
severity=bandit.HIGH,
confidence=bandit.HIGH,
cwe=issue.Cwe.BROKEN_CRYPTO,
text="Use of weak MD2, MD4, MD5, or SHA1 hash "
"for security. Consider usedforsecurity=False",
text="Use of weak MD4, MD5, or SHA1 hash for "
"security. Consider usedforsecurity=False",
lineno=context.node.lineno,
)

Expand All @@ -103,8 +103,7 @@ def _hashlib_new(context):
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
cwe=issue.Cwe.BROKEN_CRYPTO,
text="Use of insecure MD2, MD4, MD5, or SHA1 hash "
"function.",
text="Use of insecure MD4, MD5, or SHA1 hash function.",
lineno=context.node.lineno,
)

Expand Down

0 comments on commit 09a6ace

Please sign in to comment.