Skip to content

B324: hashlib_new not checking for SHA1 #560

Closed
@ericwb

Description

Describe the bug
SHA1 has known weaknesses and a proven exploit. We already include SHA1 as a blacklisted call from hashlib, but it's not part of hashlib_new plugin (B324)

To Reproduce
Steps to reproduce the behavior:

  1. Go to https://github.com/PyCQA/bandit/blob/master/bandit/plugins/hashlib_new_insecure_functions.py#L47
  2. Notice it only checks MD4 and MD5

Expected behavior
Should also check for SHA1 and have an updated unit test

Bandit version

bandit 1.6.3
  python version = 3.6.7 (default, Nov 12 2018, 13:31:42) [GCC 4.2.1 Compatible Apple LLVM 10.0.0 (clang-1000.11.45.5)]

Metadata

Assignees

Labels

bugSomething isn't workinggood first issueGood for newcomers

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions