Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

B324: hashlib_new not included in help docs #559

Closed
ericwb opened this issue Jan 7, 2020 · 2 comments · Fixed by #862
Closed

B324: hashlib_new not included in help docs #559

ericwb opened this issue Jan 7, 2020 · 2 comments · Fixed by #862
Labels
bug Something isn't working
Milestone
Release 1.7.5

Comments

@ericwb
Copy link
Member

ericwb commented Jan 7, 2020

Describe the bug
The doc for B324 hashlib_new is not included as part of:
https://bandit.readthedocs.io/en/latest/plugins/index.html

This may be because 3xx is for blacklist, yet this is a plugin.

To Reproduce
Steps to reproduce the behavior:

  1. Go tohttps://bandit.readthedocs.io/en/latest/plugins/index.html
  2. Notice B324 is missing in the list of plugins

Note, it is not listed here either:
https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html

Expected behavior
Output of command bandit -h shows

	B324	hashlib_new_insecure_functions

But it's not documented in the help docs

Bandit version

bandit 1.6.3
  python version = 3.6.7 (default, Nov 12 2018, 13:31:42) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)]

Additional context
Add any other context about the problem here.
@ericwb ericwb added the bug Something isn't working label Jan 8, 2020
@smontanaro
Copy link

I assume this is why when I get an error referencing hashlib like this:

Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False
Severity: High Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: ./scripts/cull-dups.py:24:25
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b324_hashlib.html

the More Info URL doesn't exist. I just installed bandit, so 1.7.4 is probably the latest release, but just in case, I tried this URL too:

https://bandit.readthedocs.io/en/latest/plugins/b324_hashlib.html

but it also 404s.

@ericwb ericwb mentioned this issue Mar 22, 2022
Merged
@ericwb ericwb added this to the Release 1.8.0 milestone Mar 22, 2022
ericwb added a commit that referenced this issue Mar 23, 2022
@ericwb
Add doc for hashlib plugin (#862)
4d4358b 
The hashlib_insecure_functions module is missing documentation. More
than likely this is a result of having checks in blacklist for hashlib
and also a plugin. The blacklists have a reserved Id range of 3xx, which
is what this plugin is using.

Near term, this change publishes a page for B324 hashlib plugin. Longer
term, the bandit Id should be migrated out of the 3xx group to something
more appropriate.

Closes #559

Signed-off-by: Eric Brown <browne@vmware.com>
@manuel-belvo
Copy link

This issue is still present since the output gives:

>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False
   Severity: High   Confidence: High
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   Location: src/a.py
   More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b324_hashlib.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
Release 1.7.5
Development

Successfully merging a pull request may close this issue.

Add doc for hashlib plugin
3 participants
@smontanaro @ericwb @manuel-belvo