Different results in different Python versions (S303 vs. S324)

Question

Different results in different Python versions (S303 vs. S324)

finswimmer opened this issue 3 years ago · 1 comments

Hello,

the following code leads to different error codes, depending on the Python version:

import hashlib

h = hashlib.md5()

Python 3.8:

example.py:3:1: S303 Use of insecure MD2, MD4, MD5, or SHA1 hash function.

Python 3.9:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

Python 3.10:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

The installed package versions seems to be equal:

$ python --version
Python 3.8.10

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.8.10 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pkg_resources   0.0.0
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version
Python 3.9.1

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.9.1 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version           
Python 3.10.2

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.10.2 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

Any idea what's going on here? Is it a flake8-bandit issue or a bandit one?

Thanks a lot!

fin swimmer

Answer 1 · 2022-05-17T04:49:24.000Z

In Python 3.9 and later, the hashlib function has a new keyword
argument usedforsecurity to describe the usage of the hash. In
that way, we can better identify the severity of the error.

PyCQA/bandit#805

So I'm afraid there will be no way to get the same result for Python >=3.9 and <3.9, beside pinning bandit/flake8-bandit to an older version?