Add PyCryptodome to import blacklists

PyCryptodome is a direct fork of PyCrypto, and is generally
considered to not be the replacement for it.  It is recommended
that projects move to pyca/cryptography instead, as this may be
exposing folks to the same inherent issues that PyCrypto was
deprecated because of.

Signed-off-by: John 'Warthog9' Hawley <warthog9@eaglescrag.net>
Signed-off-by: John 'Warthog9' Hawley <jhawley@vmware.com>
Signed-off-by: Terri Oda <terri.oda@intel.com>

Author: warthog9

README.rst

@@ -224,6 +224,7 @@ Usage::
       B411  import_xmlrpclib
       B412  import_httpoxy
       B413  import_pycrypto
+      B414  import_pycryptodome
       B501  request_with_no_cert_validation
       B502  ssl_with_bad_version
       B503  ssl_with_bad_defaults

bandit/blacklists/imports.py

@@ -199,6 +199,26 @@
 |      |                     | - Crypto.Util                      |           |
 +------+---------------------+------------------------------------+-----------+
 
+B414: import_pycryptodome
+-------------------------
+pycryptodome is a direct fork of pycrypto that has not fully addressed
+the issues inherent in PyCrypto.  It seems to exist, mainly, as an API
+compatible continuation of pycrypto and should be deprecated in favor
+of pyca/cryptography which has more support among the Python community.
+
++------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Imports                           |  Severity |
++======+=====================+====================================+===========+
+| B414 | import_pycryptodome | - Cryptodome.Cipher                | high      |
+|      |                     | - Cryptodome.Hash                  |           |
+|      |                     | - Cryptodome.IO                    |           |
+|      |                     | - Cryptodome.Protocol              |           |
+|      |                     | - Cryptodome.PublicKey             |           |
+|      |                     | - Cryptodome.Random                |           |
+|      |                     | - Cryptodome.Signature             |           |
+|      |                     | - Cryptodome.Util                  |           |
++------+---------------------+------------------------------------+-----------+
+
 """
 
 from bandit.blacklists import utils
@@ -302,4 +322,18 @@ def gen_blacklist():
         'maintained and have been deprecated. '
         'Consider using pyca/cryptography library.', 'HIGH'))
 
+    sets.append(utils.build_conf_dict(
+        'import_pycryptodome', 'B414',
+        ['Cryptodome.Cipher',
+         'Cryptodome.Hash',
+         'Cryptodome.IO',
+         'Cryptodome.Protocol',
+         'Cryptodome.PublicKey',
+         'Cryptodome.Random',
+         'Cryptodome.Signature',
+         'Cryptodome.Util'],
+        'The pycryptodome library is not considered a secure alternative '
+        'to pycrypto.'
+        'Consider using pyca/cryptography library.', 'HIGH'))
+
     return {'Import': sets, 'ImportFrom': sets, 'Call': sets}

examples/pycryptodome.py

@@ -0,0 +1,11 @@
+from Cryptodome.Cipher import AES
+from Cryptodome import Random
+
+from . import CryptoMaterialsCacheEntry
+
+
+def test_pycrypto():
+    key = b'Sixteen byte key'
+    iv = Random.new().read(AES.block_size)
+    cipher = pycrypto_arc2.new(key, AES.MODE_CFB, iv)
+    factory = CryptoMaterialsCacheEntry()

tests/functional/test_functional.py

@@ -729,3 +729,11 @@ def test_blacklist_pycrypto(self):
             'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
         }
         self.check_example('pycrypto.py', expect)
+
+    def test_blacklist_pycryptodome(self):
+        '''Test importing pycryptodome module'''
+        expect = {
+            'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2},
+            'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2}
+        }
+        self.check_example('pycryptodome.py', expect)