Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different results in different Python versions (S303 vs. S324) #31

Open
finswimmer opened this issue May 17, 2022 · 1 comment
Open

Different results in different Python versions (S303 vs. S324) #31

finswimmer opened this issue May 17, 2022 · 1 comment

Comments

@finswimmer
Copy link

Hello,

the following code leads to different error codes, depending on the Python version:

import hashlib

h = hashlib.md5()

Python 3.8:

example.py:3:1: S303 Use of insecure MD2, MD4, MD5, or SHA1 hash function.

Python 3.9:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

Python 3.10:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

The installed package versions seems to be equal:

$ python --version
Python 3.8.10

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.8.10 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pkg_resources   0.0.0
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version
Python 3.9.1

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.9.1 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version           
Python 3.10.2

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.10.2 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

Any idea what's going on here? Is it a flake8-bandit issue or a bandit one?

Thanks a lot!

fin swimmer
@finswimmer
Copy link
Author

In Python 3.9 and later, the hashlib function has a new keyword
argument usedforsecurity to describe the usage of the hash. In
that way, we can better identify the severity of the error.

PyCQA/bandit#805

So I'm afraid there will be no way to get the same result for Python >=3.9 and <3.9, beside pinning bandit/flake8-bandit to an older version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@finswimmer