Merge branch 'main' into suggest_fix

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -44,7 +44,8 @@ body:
       label: Bandit version
       description: Run "bandit --version" if unsure of version number
       options:
-        - 1.7.9 (Default)
+        - 1.7.10 (Default)
+        - 1.7.9
         - 1.7.8
         - 1.7.7
         - 1.7.6
@@ -63,11 +64,11 @@ body:
       label: Python version
       description: Run "bandit --version" if unsure of version number
       options:
-        - "3.12 (Default)"
+        - "3.13 (Default)"
+        - "3.12"
         - "3.11"
         - "3.10"
         - "3.9"
-        - "3.8"
     validations:
       required: true
 

.github/workflows/build-publish-image.yml

@@ -31,7 +31,7 @@ jobs:
         ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }}
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3
+      uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3
 
     - name: Log in to GitHub Container Registry
       uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
@@ -41,7 +41,7 @@ jobs:
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Install Cosign
-      uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+      uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
       with:
         cosign-release: 'v2.2.2'
 

.github/workflows/publish-to-pypi.yml

@@ -13,10 +13,10 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - name: Set up Python 3.8
+    - name: Set up Python 3.9
       uses: actions/setup-python@v5
       with:
-        python-version: 3.8
+        python-version: 3.9
 
     - name: Install dependencies
       run: pip install wheel

.github/workflows/publish-to-test-pypi.yml

@@ -13,10 +13,10 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - name: Set up Python 3.8
+    - name: Set up Python 3.9
       uses: actions/setup-python@v5
       with:
-        python-version: 3.8
+        python-version: 3.9
 
     - name: Install dependencies
       run: pip install wheel

.github/workflows/pythonpackage.yml

@@ -7,7 +7,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -26,7 +26,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.8]
+        python-version: [3.9]
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -47,7 +47,6 @@ jobs:
     strategy:
       matrix:
         python-version: [
-          ["3.8", "38"],
           ["3.9", "39"],
           ["3.10", "310"],
           ["3.11", "311"],

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 exclude: ^(examples|tools|doc)
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.6.0
+  rev: v5.0.0
   hooks:
   - id: check-yaml
   - id: debug-statements
@@ -13,12 +13,12 @@ repos:
   - id: reorder-python-imports
     args: [--application-directories, '.:src', --py38-plus]
 - repo: https://github.com/psf/black-pre-commit-mirror
-  rev: 24.4.2
+  rev: 24.10.0
   hooks:
   - id: black
     args: [--line-length=79, --target-version=py38]
 - repo: https://github.com/asottile/pyupgrade
-  rev: v3.16.0
+  rev: v3.17.0
   hooks:
   - id: pyupgrade
     args: [--py38-plus]

.readthedocs.yaml

@@ -3,7 +3,7 @@ version: 2
 build:
   os: ubuntu-22.04
   tools:
-    python: "3.8"
+    python: "3.9"
 
 sphinx:
   configuration: doc/source/conf.py

bandit/blacklists/calls.py

@@ -96,6 +96,12 @@
 |      |                     |   .ciphers.algorithms.Blowfish     |           |
 |      |                     | - cryptography.hazmat.primitives   |           |
 |      |                     |   .ciphers.algorithms.IDEA         |           |
+|      |                     | - cryptography.hazmat.primitives   |           |
+|      |                     |   .ciphers.algorithms.CAST5        |           |
+|      |                     | - cryptography.hazmat.primitives   |           |
+|      |                     |   .ciphers.algorithms.SEED         |           |
+|      |                     | - cryptography.hazmat.primitives   |           |
+|      |                     |   .ciphers.algorithms.TripleDES    |           |
 +------+---------------------+------------------------------------+-----------+
 | B305 | cipher_modes        | - cryptography.hazmat.primitives   | Medium    |
 |      |                     |   .ciphers.modes.ECB               |           |
@@ -321,8 +327,6 @@
 +------+---------------------+------------------------------------+-----------+
 
 """
-import sys
-
 from bandit.blacklists import utils
 from bandit.core import issue
 
@@ -373,52 +377,26 @@ def gen_blacklist():
         )
     )
 
-    if sys.version_info >= (3, 9):
-        sets.append(
-            utils.build_conf_dict(
-                "md5",
-                "B303",
-                issue.Cwe.BROKEN_CRYPTO,
-                [
-                    "Crypto.Hash.MD2.new",
-                    "Crypto.Hash.MD4.new",
-                    "Crypto.Hash.MD5.new",
-                    "Crypto.Hash.SHA.new",
-                    "Cryptodome.Hash.MD2.new",
-                    "Cryptodome.Hash.MD4.new",
-                    "Cryptodome.Hash.MD5.new",
-                    "Cryptodome.Hash.SHA.new",
-                    "cryptography.hazmat.primitives.hashes.MD5",
-                    "cryptography.hazmat.primitives.hashes.SHA1",
-                ],
-                "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
-            )
-        )
-    else:
-        sets.append(
-            utils.build_conf_dict(
-                "md5",
-                "B303",
-                issue.Cwe.BROKEN_CRYPTO,
-                [
-                    "hashlib.md4",
-                    "hashlib.md5",
-                    "hashlib.sha",
-                    "hashlib.sha1",
-                    "Crypto.Hash.MD2.new",
-                    "Crypto.Hash.MD4.new",
-                    "Crypto.Hash.MD5.new",
-                    "Crypto.Hash.SHA.new",
-                    "Cryptodome.Hash.MD2.new",
-                    "Cryptodome.Hash.MD4.new",
-                    "Cryptodome.Hash.MD5.new",
-                    "Cryptodome.Hash.SHA.new",
-                    "cryptography.hazmat.primitives.hashes.MD5",
-                    "cryptography.hazmat.primitives.hashes.SHA1",
-                ],
-                "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
-            )
+    sets.append(
+        utils.build_conf_dict(
+            "md5",
+            "B303",
+            issue.Cwe.BROKEN_CRYPTO,
+            [
+                "Crypto.Hash.MD2.new",
+                "Crypto.Hash.MD4.new",
+                "Crypto.Hash.MD5.new",
+                "Crypto.Hash.SHA.new",
+                "Cryptodome.Hash.MD2.new",
+                "Cryptodome.Hash.MD4.new",
+                "Cryptodome.Hash.MD5.new",
+                "Cryptodome.Hash.SHA.new",
+                "cryptography.hazmat.primitives.hashes.MD5",
+                "cryptography.hazmat.primitives.hashes.SHA1",
+            ],
+            "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
         )
+    )
 
     sets.append(
         utils.build_conf_dict(
@@ -438,7 +416,10 @@ def gen_blacklist():
                 "Cryptodome.Cipher.XOR.new",
                 "cryptography.hazmat.primitives.ciphers.algorithms.ARC4",
                 "cryptography.hazmat.primitives.ciphers.algorithms.Blowfish",
+                "cryptography.hazmat.primitives.ciphers.algorithms.CAST5",
                 "cryptography.hazmat.primitives.ciphers.algorithms.IDEA",
+                "cryptography.hazmat.primitives.ciphers.algorithms.SEED",
+                "cryptography.hazmat.primitives.ciphers.algorithms.TripleDES",
             ],
             "Use of insecure cipher {name}. Replace with a known secure"
             " cipher such as AES.",

bandit/plugins/hashlib_insecure_functions.py

@@ -49,7 +49,6 @@
 
 """  # noqa: E501
 import ast
-import sys
 
 import bandit
 from bandit.core import issue
@@ -101,24 +100,6 @@ def _hashlib_func(context, func):
                 )
 
 
-def _hashlib_new(context, func):
-    if func == "new":
-        args = context.call_args
-        keywords = context.call_keywords
-        name = args[0] if args else keywords.get("name", None)
-        if len(context.node.args):
-            context.node.args[0].value = "sha224"
-        if isinstance(name, str) and name.lower() in WEAK_HASHES:
-            return bandit.Issue(
-                severity=bandit.MEDIUM,
-                confidence=bandit.HIGH,
-                cwe=issue.Cwe.BROKEN_CRYPTO,
-                text=f"Use of insecure {name.upper()} hash function.",
-                lineno=context.node.lineno,
-                fix=context.unparse(context.node),
-            )
-
-
 def _crypt_crypt(context, func):
     args = context.call_args
     keywords = context.call_keywords
@@ -153,10 +134,7 @@ def hashlib(context):
         func = qualname_list[-1]
 
         if "hashlib" in qualname_list:
-            if sys.version_info >= (3, 9):
-                return _hashlib_func(context, func)
-            else:
-                return _hashlib_new(context, func)
+            return _hashlib_func(context, func)
 
         elif "crypt" in qualname_list and func in ("crypt", "mksalt"):
             return _crypt_crypt(context, func)

doc/source/faq.rst

@@ -5,10 +5,10 @@ Under Which Version of Python Should I Install Bandit?
 ------------------------------------------------------
 
 The answer to this question depends on the project(s) you will be running
-Bandit against. If your project is only compatible with Python 3.8, you
-should install Bandit to run under Python 3.8. If your project is only
-compatible with Python 3.9, then use 3.9 respectively. If your project supports
-both, you *could* run Bandit with both versions but you don't have to.
+Bandit against. If your project is only compatible with Python 3.9, you
+should install Bandit to run under Python 3.9. If your project is only
+compatible with Python 3.10, then use 3.10 respectively. If your project
+supports both, you *could* run Bandit with both versions but you don't have to.
 
 Bandit uses the `ast` module from Python's standard library in order to
 analyze your Python code. The `ast` module is only able to parse Python code

examples/ciphers.py

@@ -71,6 +71,18 @@
 encryptor = cipher.encryptor()
 ct = encryptor.update(b"a secret message")
 
+cipher = Cipher(algorithms.CAST5(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
 cipher = Cipher(algorithms.IDEA(key), mode=None, backend=default_backend())
 encryptor = cipher.encryptor()
 ct = encryptor.update(b"a secret message")
+
+cipher = Cipher(algorithms.SEED(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
+cipher = Cipher(algorithms.TripleDES(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")

setup.cfg

@@ -18,7 +18,6 @@ classifier =
     Operating System :: MacOS :: MacOS X
     Programming Language :: Python
     Programming Language :: Python :: 3
-    Programming Language :: Python :: 3.8
     Programming Language :: Python :: 3.9
     Programming Language :: Python :: 3.10
     Programming Language :: Python :: 3.11

setup.py

@@ -4,5 +4,5 @@
 import setuptools
 
 setuptools.setup(
-    python_requires=">=3.8", setup_requires=["pbr>=2.0.0"], pbr=True
+    python_requires=">=3.9", setup_requires=["pbr>=2.0.0"], pbr=True
 )