2074383 – [CI Bug] pep8 python3.9 job fails while running bandit with Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security

Bug 2074383 - [CI Bug] pep8 python3.9 job fails while running bandit with Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security

Summary: [CI Bug] pep8 python3.9 job fails while running bandit with Issue: [B324:hash...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ga
Target Release:	17.0
Assignee:	Yatin Karel
QA Contact:	Fiorella Yanac
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-12 06:36 UTC by Yatin Karel
Modified:	2022-09-21 12:21 UTC (History)
CC List:	3 users (show)
Fixed In Version:	openstack-neutron-18.3.1-0.20220501162703.9b2d684.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-21 12:20:36 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	837672	None	MERGED	Also add B324 to bandit skip list for python3.9+	2022-04-20 05:38:51 UTC
Red Hat Issue Tracker	OSP-14630	None	None	None	2022-04-12 06:39:58 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:21:18 UTC

Description Yatin Karel 2022-04-12 06:36:18 UTC

Description of problem:
bandit with python3.9 fails as below:-

Test results:
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False
   Severity: High   Confidence: High
   CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
   Location: neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py:2376:23
   More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b324_hashlib.html
2374	            else:
2375	                # Create 32-bit Base32 encoded hash
2376	                sha1 = hashlib.sha1(ip_address.encode())
2377	                iphash = base64.b32encode(sha1.digest())
2378	                return iphash[:hashlen].decode().lower()

Was detected in a pep8(rhel9 + python 3.9) CI job running on neutron osp17 repo.


How reproducible:
Always with python3.9.

Steps to Reproduce:
1. On a CentOS 9-Stream or RHEL9 node run tox -ebandit or tox -epep8 in neutron repo
2. Should be reproducible on any other distro as well with python3.9.

Actual results:
bandit fails with above error

Expected results:
bandit should pass


Additional Info:-
Neutron already have skipped B303[1] for sha1 usage, but for python3.9 need to also skip B324.
Currently the jobs are non-voting[2] due to this bug.

[1] https://review.opendev.org/c/openstack/neutron/+/592884
[2] https://github.com/rhos-infra/znoyder/pull/42

Comment 2 Yatin Karel 2022-05-02 06:32:54 UTC

pep8 jobs are green after the commit got imported in rhos-17.0-trunk-patches.

Comment 9 errata-xmlrpc 2022-09-21 12:20:36 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Note You need to log in before you can comment on or make changes to this bug.