Add linter for insecure cryptography use

[mschwager]

The Python cryptography library has become the defacto standard for crytographic operations. We should detect known-insecure crytographic operations, e.g.

• cryptography.hazmat.primitives.hashes.MD5
• cryptography.hazmat.primitives.hashes.SHA1
• cryptography.hazmat.primitives.ciphers.modes.ECB

We should also investigate if there are any other pieces of functionality in the library worth detecting.

[alex]

PKCS1v15 when used with encryption is probably worthy of detection.

[mschwager]

After sleuthing the docs, here's some more attributes with a "Warning" next to them:

• cryptography.hazmat.primitives.ciphers.algorithms.Blowfish
• cryptography.hazmat.primitives.ciphers.algorithms.ARC4
• cryptography.hazmat.primitives.ciphers.algorithms.IDEA
• cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15

[alex]

Note that PKCS1v15 when used with encrypt() is significantly worse than with sign().

[mschwager]

Thanks for the tips @alex!

Looks like you have significant experience in the Python + security space. Are there any other mainstream libraries you can think of that would be worth creating Dlint rules for and/or investigating? So far I have requests, pycrypto, cryptography (here), defusedxml (#5), Duo's API client library, and OneLogin's SAML library.

I could look at some of the big webservers (e.g. Django, Pyramid, Flask), but that may not be as useful or easy to detect insecurities as common libraries.