False positive: [B324:hashlib] Use of insecure MD5 hash function when usedforsecurity=False

[Lucas-C]

Describe the bug

Since the latest 1.7.5 release,
code that used to not raise warnings is now detected as invalid by bandit

Reproduction steps

1. Put the following code in a file named bandit_bug.py

import hashlib
file_hash = hashlib.new("md5", usedforsecurity=False)
file_hash.update(b"Hello world!")
print(file_hash.hexdigest())

2. Call bandit bandit_bug.py
   With bandit 1.7.5 you will get the following output:

>> Issue: [B324:hashlib] Use of insecure MD5 hash function.
   Severity: Medium   Confidence: High
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b324_hashlib.html
   Location: bandit_bug.py:3:12

Expected behavior

There has been some work done on usedforsecurity=False in bandit in the past:

• Check value of usedforsecurity for hashlib #798
• Better hashlib check for Python 3.9 #805
• Invalid checking in hashlib plugin #865

I was expecting no warning when usedforsecurity=False is passed to hashlib.new("md5")

Bandit version

1.7.5 (Default)

Python version

3.8

Additional context

No response

[Lucas-C]

Sorry for the noise, this was just me being silly:
the problem came from me using a version 3.8 of Python.
All is fine when using a more recent version: https://github.com/PyCQA/bandit/blob/main/examples/hashlib_new_insecure_functions.py#L19