Closed
Description
Describe the bug
SHA1 has known weaknesses and a proven exploit. We already include SHA1 as a blacklisted call from hashlib, but it's not part of hashlib_new plugin (B324)
To Reproduce
Steps to reproduce the behavior:
- Go to https://github.com/PyCQA/bandit/blob/master/bandit/plugins/hashlib_new_insecure_functions.py#L47
- Notice it only checks MD4 and MD5
Expected behavior
Should also check for SHA1 and have an updated unit test
Bandit version
bandit 1.6.3
python version = 3.6.7 (default, Nov 12 2018, 13:31:42) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)]