diff --git a/ai/csharp/detect-openai.yaml b/ai/csharp/detect-openai.yaml index 5339b68a50..aef358162e 100644 --- a/ai/csharp/detect-openai.yaml +++ b/ai/csharp/detect-openai.yaml @@ -10,7 +10,7 @@ rules: - pattern: (ChatClient $CLIENT).$FUNC(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/dart/detect-gemini.yaml b/ai/dart/detect-gemini.yaml index c61445882a..2a434e4d49 100644 --- a/ai/dart/detect-gemini.yaml +++ b/ai/dart/detect-gemini.yaml @@ -9,7 +9,7 @@ rules: - pattern: final $MODEL = GenerativeModel(...); metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/generic/detect-generic-ai-anthprop.yaml b/ai/generic/detect-generic-ai-anthprop.yaml index 3ea9528338..1debd96d13 100644 --- a/ai/generic/detect-generic-ai-anthprop.yaml +++ b/ai/generic/detect-generic-ai-anthprop.yaml @@ -10,7 +10,7 @@ rules: - pattern: claude metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/generic/detect-generic-ai-api.yaml b/ai/generic/detect-generic-ai-api.yaml index 950a917ba0..bdee3f2c23 100644 --- a/ai/generic/detect-generic-ai-api.yaml +++ b/ai/generic/detect-generic-ai-api.yaml @@ -9,7 +9,7 @@ rules: - pattern: api.openai.com metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/generic/detect-generic-ai-gem.yaml b/ai/generic/detect-generic-ai-gem.yaml index eb27dcf2fc..e3d078d3b0 100644 --- a/ai/generic/detect-generic-ai-gem.yaml +++ b/ai/generic/detect-generic-ai-gem.yaml @@ -9,7 +9,7 @@ rules: - pattern: GoogleGenerativeAI metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/generic/detect-generic-ai-oai.yaml b/ai/generic/detect-generic-ai-oai.yaml index 52fe2cb823..cb62083452 100644 --- a/ai/generic/detect-generic-ai-oai.yaml +++ b/ai/generic/detect-generic-ai-oai.yaml @@ -9,7 +9,7 @@ rules: - pattern: OpenAI metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/go/detect-gemini.yaml b/ai/go/detect-gemini.yaml index ef757aea0c..99f440741b 100644 --- a/ai/go/detect-gemini.yaml +++ b/ai/go/detect-gemini.yaml @@ -9,7 +9,7 @@ rules: - pattern: genai.NewClient(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/go/detect-openai.yaml b/ai/go/detect-openai.yaml index 7460a2e3c0..655926ed82 100644 --- a/ai/go/detect-openai.yaml +++ b/ai/go/detect-openai.yaml @@ -9,7 +9,7 @@ rules: - pattern: gogpt.NewClient(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/kotlin/detect-gemini.yaml b/ai/kotlin/detect-gemini.yaml index cb0b1fd964..02526a7f2b 100644 --- a/ai/kotlin/detect-gemini.yaml +++ b/ai/kotlin/detect-gemini.yaml @@ -9,7 +9,7 @@ rules: - pattern: GenerativeModel(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-anthropic.yaml b/ai/python/detect-anthropic.yaml index de42425dca..013110e5d9 100644 --- a/ai/python/detect-anthropic.yaml +++ b/ai/python/detect-anthropic.yaml @@ -12,7 +12,7 @@ rules: - pattern: $CLIENT.messages.$FUNC(...,model=...,...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-gemini.yaml b/ai/python/detect-gemini.yaml index 585a1df677..1e8e9670b8 100644 --- a/ai/python/detect-gemini.yaml +++ b/ai/python/detect-gemini.yaml @@ -8,7 +8,7 @@ rules: - pattern: import google.generativeai metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-huggingface.yaml b/ai/python/detect-huggingface.yaml index b4ab130c7c..37b352662e 100644 --- a/ai/python/detect-huggingface.yaml +++ b/ai/python/detect-huggingface.yaml @@ -8,7 +8,7 @@ rules: - pattern: import huggingface_hub metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-langchain.yaml b/ai/python/detect-langchain.yaml index 16f379fdf5..283ad8e761 100644 --- a/ai/python/detect-langchain.yaml +++ b/ai/python/detect-langchain.yaml @@ -17,7 +17,7 @@ rules: - pattern: import langchain metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-mistral.yaml b/ai/python/detect-mistral.yaml index 7490843413..1ac2d56ab5 100644 --- a/ai/python/detect-mistral.yaml +++ b/ai/python/detect-mistral.yaml @@ -10,7 +10,7 @@ rules: - pattern: $CLIENT.chat(...,model=...,...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-openai.yaml b/ai/python/detect-openai.yaml index 132012f571..4ff24d429e 100644 --- a/ai/python/detect-openai.yaml +++ b/ai/python/detect-openai.yaml @@ -11,7 +11,7 @@ rules: - pattern: $CLIENT.chat.completions.$FUNC(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-pytorch.yaml b/ai/python/detect-pytorch.yaml index d2a185109f..2944f1163e 100644 --- a/ai/python/detect-pytorch.yaml +++ b/ai/python/detect-pytorch.yaml @@ -9,7 +9,7 @@ rules: - pattern: torch.$FUNC(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/python/detect-tensorflow.yaml b/ai/python/detect-tensorflow.yaml index 580b321c64..bc2a1bcffd 100644 --- a/ai/python/detect-tensorflow.yaml +++ b/ai/python/detect-tensorflow.yaml @@ -8,7 +8,7 @@ rules: - pattern: import tensorflow metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/swift/detect-apple-core-ml.yaml b/ai/swift/detect-apple-core-ml.yaml index abed2c89ef..491017f8dc 100644 --- a/ai/swift/detect-apple-core-ml.yaml +++ b/ai/swift/detect-apple-core-ml.yaml @@ -9,7 +9,7 @@ rules: - pattern: MLModelConfiguration(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/swift/detect-gemini.yaml b/ai/swift/detect-gemini.yaml index ac92fa94d0..42e5d028a2 100644 --- a/ai/swift/detect-gemini.yaml +++ b/ai/swift/detect-gemini.yaml @@ -9,7 +9,7 @@ rules: - pattern: GenerativeModel(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/typescript/detect-anthropic.yaml b/ai/typescript/detect-anthropic.yaml index 153c72ed8e..2ca88759aa 100644 --- a/ai/typescript/detect-anthropic.yaml +++ b/ai/typescript/detect-anthropic.yaml @@ -12,7 +12,7 @@ rules: - pattern: anthropic.messages.$FUNC(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/typescript/detect-gemini.yaml b/ai/typescript/detect-gemini.yaml index 904149ba8f..6c8b3ccae6 100644 --- a/ai/typescript/detect-gemini.yaml +++ b/ai/typescript/detect-gemini.yaml @@ -12,7 +12,7 @@ rules: - pattern: $GENAI.getGenerativeModel(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/typescript/detect-mistral.yaml b/ai/typescript/detect-mistral.yaml index c804667520..c26e77adb8 100644 --- a/ai/typescript/detect-mistral.yaml +++ b/ai/typescript/detect-mistral.yaml @@ -12,7 +12,7 @@ rules: $CLIENT.chat({model: ...}) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/typescript/detect-openai.yaml b/ai/typescript/detect-openai.yaml index f38ca1a4ee..6c27b98422 100644 --- a/ai/typescript/detect-openai.yaml +++ b/ai/typescript/detect-openai.yaml @@ -12,7 +12,7 @@ rules: - pattern: $CLIENT.chat.completions.$FUNC(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/typescript/detect-promptfoo.yaml b/ai/typescript/detect-promptfoo.yaml index b2f5afa8e9..bb3c6f844a 100644 --- a/ai/typescript/detect-promptfoo.yaml +++ b/ai/typescript/detect-promptfoo.yaml @@ -10,7 +10,7 @@ rules: - pattern: promptfoo.evaluate(...) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/ai/typescript/detect-vercel-ai.yaml b/ai/typescript/detect-vercel-ai.yaml index 14caf6258c..89d719541f 100644 --- a/ai/typescript/detect-vercel-ai.yaml +++ b/ai/typescript/detect-vercel-ai.yaml @@ -12,7 +12,7 @@ rules: - pattern: generateText({prompt:...}) metadata: references: - - http://semgrep.dev/blog/2024/detecting-shadow-ai + - https://semgrep.dev/blog/2024/detecting-shadow-ai category: maintainability technology: - genAI diff --git a/csharp/lang/security/sqli/csharp-sqli.cs b/csharp/lang/security/sqli/csharp-sqli.cs index 9a2173d758..30cfa3c8f9 100644 --- a/csharp/lang/security/sqli/csharp-sqli.cs +++ b/csharp/lang/security/sqli/csharp-sqli.cs @@ -135,17 +135,21 @@ public void sqli11(string sqli) } } - public void sqli12(string sqli) - { - using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) { - connection.Open(); - SqlCommand command= connection.CreateCommand(); - // ruleid: csharp-sqli - command.CommandText = sqli; - command.CommandTimeout = 15; - command.CommandType = CommandType.Text; - } - } + public void sqli2(string sqli) + { + using (SqlConnection connection = new SqlConnection("Data Source=(local);Initial Catalog=Northwind;Integrated Security=SSPI;")) { + connection.Open(); + SqlCommand command= connection.CreateCommand(); + // ruleid: csharp-sqli + command.CommandText = String.Format("SELECT c.name AS column_name,t.name AS type_name,c.max_length,c.precision,c.scale, CAST(CASE WHEN EXISTS(SELECT * FROM sys.index_columns AS i WHERE i.object_id=c.object_id AND i.column_id=c.column_id) THEN 1 ELSE 0 END AS BIT) AS column_indexed FROM sys.columns AS c JOIN sys.types AS t ON c.user_type_id=t.user_type_id WHERE c.object_id = OBJECT_ID('{0}') ORDER BY c.column_id;", sqli); + command.CommandTimeout = 15; + command.CommandType = CommandType.Text; + await using var connection = new SqlConnection(configuration.GetVaultConnectionString(sqli, "B", true)); + await using var command = connection.CreateCommand(); + // ok: csharp-sqli + command.CommandText = "SELECT 1;"; + } + } public void sqli13() { diff --git a/csharp/lang/security/sqli/csharp-sqli.yaml b/csharp/lang/security/sqli/csharp-sqli.yaml index f5ba09dcf0..8168024080 100644 --- a/csharp/lang/security/sqli/csharp-sqli.yaml +++ b/csharp/lang/security/sqli/csharp-sqli.yaml @@ -18,8 +18,10 @@ rules: - pattern: | new $PATTERN($CMD,...) - focus-metavariable: $CMD - - pattern: | - $CMD.$PATTERN = ...; + - patterns: + - pattern: | + $CMD.$PATTERN = $VALUE; + - focus-metavariable: $VALUE - metavariable-regex: metavariable: $PATTERN regex: ^(SqlCommand|CommandText|OleDbCommand|OdbcCommand|OracleCommand)$ diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml index 15814e5f12..ca469bb89c 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml @@ -2,7 +2,9 @@ rules: - id: insecure-cipher-algorithm-blowfish message: >- Detected Blowfish cipher algorithm which is considered insecure. This algorithm - is not cryptographically secure and can be reversed easily. Use AES instead. + is not cryptographically secure and can be reversed easily. + Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. + When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 cwe: @@ -13,6 +15,7 @@ rules: bandit-code: B304 references: - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption + - https://www.pycryptodome.org/src/cipher/cipher category: security technology: - pycryptodome @@ -20,7 +23,12 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::symmetric-algorithm::pycryptodome + - crypto::search::symmetric-algorithm::pycryptodomex + options: + symbolic_propagation: true severity: WARNING languages: - python diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml index 9982592e61..47e5c8c1d3 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml @@ -1,8 +1,10 @@ rules: - id: insecure-cipher-algorithm-des message: >- - Detected DES cipher algorithm which is considered insecure. This algorithm - is not cryptographically secure and can be reversed easily. Use AES instead. + Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm + is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. + Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. + When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 cwe: @@ -13,6 +15,7 @@ rules: bandit-code: B304 references: - https://cwe.mitre.org/data/definitions/326.html + - https://www.pycryptodome.org/src/cipher/cipher category: security technology: - pycryptodome @@ -20,10 +23,17 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::symmetric-algorithm::pycryptodome + - crypto::search::symmetric-algorithm::pycryptodomex + options: + symbolic_propagation: true severity: WARNING languages: - python pattern-either: - pattern: Cryptodome.Cipher.DES.new(...) - pattern: Crypto.Cipher.DES.new(...) + - pattern: Cryptodome.Cipher.DES3.new(...) + - pattern: Crypto.Cipher.DES3.new(...) diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml index a8ea8b2e38..1d44b94805 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-rc2.yaml @@ -2,7 +2,9 @@ rules: - id: insecure-cipher-algorithm-rc2 message: >- Detected RC2 cipher algorithm which is considered insecure. This algorithm - is not cryptographically secure and can be reversed easily. Use AES instead. + is not cryptographically secure and can be reversed easily. + Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. + When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 cwe: @@ -13,6 +15,7 @@ rules: bandit-code: B304 references: - https://cwe.mitre.org/data/definitions/326.html + - https://www.pycryptodome.org/src/cipher/cipher category: security technology: - pycryptodome @@ -20,7 +23,12 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::symmetric-algorithm::pycryptodome + - crypto::search::symmetric-algorithm::pycryptodomex + options: + symbolic_propagation: true severity: WARNING languages: - python diff --git a/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml b/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml index 9a56f41317..15696a01cf 100644 --- a/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml +++ b/python/pycryptodome/security/insecure-cipher-algorithm-rc4.yaml @@ -2,7 +2,9 @@ rules: - id: insecure-cipher-algorithm-rc4 message: >- Detected ARC4 cipher algorithm which is considered insecure. This algorithm - is not cryptographically secure and can be reversed easily. Use AES instead. + is not cryptographically secure and can be reversed easily. + Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. + When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84 cwe: @@ -13,6 +15,7 @@ rules: bandit-code: B304 references: - https://cwe.mitre.org/data/definitions/326.html + - https://www.pycryptodome.org/src/cipher/cipher category: security technology: - pycryptodome @@ -20,7 +23,10 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::symmetric-algorithm::pycryptodome + - crypto::search::symmetric-algorithm::pycryptodomex severity: WARNING languages: - python diff --git a/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml b/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml index ac75ff069a..1b7ce5e433 100644 --- a/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml +++ b/python/pycryptodome/security/insecure-hash-algorithm-md2.yaml @@ -3,7 +3,8 @@ rules: message: >- Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic - signature. Use SHA256 or SHA3 instead. + signature. + Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 cwe: @@ -12,6 +13,7 @@ rules: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures references: + - https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability - http://2012.sharcs.org/slides/stevens.pdf @@ -23,7 +25,12 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::hash-algorithm::pycryptodome + - crypto::search::hash-algorithm::pycryptodomex + options: + symbolic_propagation: true severity: WARNING languages: - python diff --git a/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml b/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml index 469e9cb8ee..ac6066ff9f 100644 --- a/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml +++ b/python/pycryptodome/security/insecure-hash-algorithm-md4.yaml @@ -3,7 +3,8 @@ rules: message: >- Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic - signature. Use SHA256 or SHA3 instead. + signature. + Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 cwe: @@ -12,6 +13,7 @@ rules: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures references: + - https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability - http://2012.sharcs.org/slides/stevens.pdf @@ -23,7 +25,12 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::hash-algorithm::pycryptodome + - crypto::search::hash-algorithm::pycryptodomex + options: + symbolic_propagation: true severity: WARNING languages: - python diff --git a/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml b/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml index 02745cc9f3..b40715f924 100644 --- a/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml +++ b/python/pycryptodome/security/insecure-hash-algorithm-md5.yaml @@ -3,7 +3,8 @@ rules: message: >- Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic - signature. Use SHA256 or SHA3 instead. + signature. + Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead. metadata: source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L59 cwe: @@ -12,6 +13,7 @@ rules: - A03:2017 - Sensitive Data Exposure - A02:2021 - Cryptographic Failures references: + - https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability - http://2012.sharcs.org/slides/stevens.pdf @@ -23,7 +25,12 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::hash-algorithm::pycryptodome + - crypto::search::hash-algorithm::pycryptodomex + options: + symbolic_propagation: true severity: WARNING languages: - python diff --git a/python/pycryptodome/security/insufficient-dsa-key-size.yaml b/python/pycryptodome/security/insufficient-dsa-key-size.yaml index e740d1ccaa..5624f80d82 100644 --- a/python/pycryptodome/security/insufficient-dsa-key-size.yaml +++ b/python/pycryptodome/security/insufficient-dsa-key-size.yaml @@ -1,14 +1,5 @@ rules: - id: insufficient-dsa-key-size - patterns: - - pattern-either: - - pattern: Crypto.PublicKey.DSA.generate(..., bits=$SIZE, ...) - - pattern: Crypto.PublicKey.DSA.generate($SIZE, ...) - - pattern: Cryptodome.PublicKey.DSA.generate(..., bits=$SIZE, ...) - - pattern: Cryptodome.PublicKey.DSA.generate($SIZE, ...) - - metavariable-comparison: - metavariable: $SIZE - comparison: $SIZE < 2048 message: >- Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher. @@ -20,7 +11,8 @@ rules: - A02:2021 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf + - https://www.pycryptodome.org/src/public_key/dsa + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf category: security technology: - pycryptodome @@ -28,6 +20,20 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::key-length::pycryptodome + - crypto::search::key-length::pycryptodomex + options: + symbolic_propagation: true languages: [python] severity: WARNING + patterns: + - pattern-either: + - pattern: Crypto.PublicKey.DSA.generate(..., bits=$SIZE, ...) + - pattern: Crypto.PublicKey.DSA.generate($SIZE, ...) + - pattern: Cryptodome.PublicKey.DSA.generate(..., bits=$SIZE, ...) + - pattern: Cryptodome.PublicKey.DSA.generate($SIZE, ...) + - metavariable-comparison: + metavariable: $SIZE + comparison: $SIZE < 2048 diff --git a/python/pycryptodome/security/insufficient-rsa-key-size.py b/python/pycryptodome/security/insufficient-rsa-key-size.py index 63ba35f974..01d2b389c7 100644 --- a/python/pycryptodome/security/insufficient-rsa-key-size.py +++ b/python/pycryptodome/security/insufficient-rsa-key-size.py @@ -4,11 +4,16 @@ from Crypto.PublicKey import RSA as pycrypto_rsa from Cryptodome.PublicKey import RSA as pycryptodomex_rsa -# ok:insufficient-rsa-key-size +# ruleid:insufficient-rsa-key-size pycrypto_rsa.generate(bits=2048) -# ok:insufficient-rsa-key-size +# ruleid:insufficient-rsa-key-size pycryptodomex_rsa.generate(bits=2048) +# ok:insufficient-rsa-key-size +pycrypto_rsa.generate(bits=3072) +# ok:insufficient-rsa-key-size +pycryptodomex_rsa.generate(bits=3072) + # ok:insufficient-rsa-key-size pycrypto_rsa.generate(4096) # ok:insufficient-rsa-key-size diff --git a/python/pycryptodome/security/insufficient-rsa-key-size.yaml b/python/pycryptodome/security/insufficient-rsa-key-size.yaml index a260569a9c..6649825afc 100644 --- a/python/pycryptodome/security/insufficient-rsa-key-size.yaml +++ b/python/pycryptodome/security/insufficient-rsa-key-size.yaml @@ -1,17 +1,8 @@ rules: - id: insufficient-rsa-key-size - patterns: - - pattern-either: - - pattern: Crypto.PublicKey.RSA.generate(..., bits=$SIZE, ...) - - pattern: Crypto.PublicKey.RSA.generate($SIZE, ...) - - pattern: Cryptodome.PublicKey.RSA.generate(..., bits=$SIZE, ...) - - pattern: Cryptodome.PublicKey.RSA.generate($SIZE, ...) - - metavariable-comparison: - metavariable: $SIZE - comparison: $SIZE < 2048 message: >- Detected an insufficient key size for RSA. NIST recommends - a key size of 2048 or higher. + a key size of 3072 or higher. metadata: cwe: - 'CWE-326: Inadequate Encryption Strength' @@ -20,7 +11,8 @@ rules: - A02:2021 - Cryptographic Failures source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py references: - - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf + - https://www.pycryptodome.org/src/public_key/rsa#rsa + - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf category: security technology: - pycryptodome @@ -28,6 +20,20 @@ rules: - vuln likelihood: LOW impact: MEDIUM - confidence: MEDIUM + confidence: HIGH + functional-categories: + - crypto::search::key-length::pycryptodome + - crypto::search::key-length::pycryptodomex + options: + symbolic_propagation: true languages: [python] severity: WARNING + patterns: + - pattern-either: + - pattern: Crypto.PublicKey.RSA.generate(..., bits=$SIZE, ...) + - pattern: Crypto.PublicKey.RSA.generate($SIZE, ...) + - pattern: Cryptodome.PublicKey.RSA.generate(..., bits=$SIZE, ...) + - pattern: Cryptodome.PublicKey.RSA.generate($SIZE, ...) + - metavariable-comparison: + metavariable: $SIZE + comparison: $SIZE < 3072