Bug 2074383

Summary: [CI Bug] pep8 python3.9 job fails while running bandit with Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security
Product: Red Hat OpenStack Reporter: Yatin Karel <ykarel>
Component: openstack-neutronAssignee: Yatin Karel <ykarel>
Status: CLOSED ERRATA QA Contact: Fiorella Yanac <fyanac>
Severity: medium Docs Contact:
Priority: medium    
Version: 17.0 (Wallaby)CC: averdagu, chrisw, scohen
Target Milestone: gaKeywords: Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-18.3.1-0.20220501162703.9b2d684.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:20:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yatin Karel 2022-04-12 06:36:18 UTC 
Description of problem:
bandit with python3.9 fails as below:-

Test results:
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False
   Severity: High   Confidence: High
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   Location: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py:2376:23
   More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b324_hashlib.html
2374	            else:
2375	                # Create 32-bit Base32 encoded hash
2376	                sha1 = hashlib.sha1(ip_address.encode())
2377	                iphash = base64.b32encode(sha1.digest())
2378	                return iphash[:hashlen].decode().lower()

Was detected in a pep8(rhel9 + python 3.9) CI job running on neutron osp17 repo.


How reproducible:
Always with python3.9.

Steps to Reproduce:
1. On a CentOS 9-Stream or RHEL9 node run tox -ebandit or tox -epep8 in neutron repo
2. Should be reproducible on any other distro as well with python3.9.

Actual results:
bandit fails with above error

Expected results:
bandit should pass


Additional Info:-
Neutron already have skipped B303[1] for sha1 usage, but for python3.9 need to also skip B324.
Currently the jobs are non-voting[2] due to this bug.

[1] https://review.opendev.org/c/openstack/neutron/+/592884
[2] https://github.com/rhos-infra/znoyder/pull/42
Comment 2 Yatin Karel 2022-05-02 06:32:54 UTC 
pep8 jobs are green after the commit got imported in rhos-17.0-trunk-patches.
Comment 9 errata-xmlrpc 2022-09-21 12:20:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543