Skip to content

Commit

Permalink
Removal of Python 3.8 support
Browse files Browse the repository at this point in the history
As of October 1st, 2024, Python 3.8 becomes end-of-life. As such
Bandit should also no longer support the version.

This commit will bump minimum version of support to Python 3.9
and remove any legacy 3.8 specific code.

This is a breaking change for those still using Python 3.8 and
so the minor version will be bumped to 1.8.x for it.

Closes #1173

Signed-off-by: Eric Brown <[email protected]>
  • Loading branch information
ericwb committed Oct 7, 2024
1 parent 36fd650 commit ea7beb4
Show file tree
Hide file tree
Showing 12 changed files with 45 additions and 164 deletions.
1 change: 0 additions & 1 deletion .github/ISSUE_TEMPLATE/bug-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,6 @@ body:
- "3.11"
- "3.10"
- "3.9"
- "3.8"
validations:
required: true

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publish-to-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.8
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.8
python-version: 3.9

- name: Install dependencies
run: pip install wheel
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publish-to-test-pypi.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.8
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.8
python-version: 3.9

- name: Install dependencies
run: pip install wheel
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/pythonpackage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]
python-version: [3.9]
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]
python-version: [3.9]
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -47,7 +47,6 @@ jobs:
strategy:
matrix:
python-version: [
["3.8", "38"],
["3.9", "39"],
["3.10", "310"],
["3.11", "311"],
Expand Down
2 changes: 1 addition & 1 deletion .readthedocs.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ version: 2
build:
os: ubuntu-22.04
tools:
python: "3.8"
python: "3.9"

sphinx:
configuration: doc/source/conf.py
Expand Down
66 changes: 19 additions & 47 deletions bandit/blacklists/calls.py
Original file line number Diff line number Diff line change
Expand Up @@ -321,8 +321,6 @@
+------+---------------------+------------------------------------+-----------+
"""
import sys

from bandit.blacklists import utils
from bandit.core import issue

Expand Down Expand Up @@ -373,52 +371,26 @@ def gen_blacklist():
)
)

if sys.version_info >= (3, 9):
sets.append(
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"Crypto.Hash.SHA.new",
"Cryptodome.Hash.MD2.new",
"Cryptodome.Hash.MD4.new",
"Cryptodome.Hash.MD5.new",
"Cryptodome.Hash.SHA.new",
"cryptography.hazmat.primitives.hashes.MD5",
"cryptography.hazmat.primitives.hashes.SHA1",
],
"Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
)
)
else:
sets.append(
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"hashlib.md4",
"hashlib.md5",
"hashlib.sha",
"hashlib.sha1",
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"Crypto.Hash.SHA.new",
"Cryptodome.Hash.MD2.new",
"Cryptodome.Hash.MD4.new",
"Cryptodome.Hash.MD5.new",
"Cryptodome.Hash.SHA.new",
"cryptography.hazmat.primitives.hashes.MD5",
"cryptography.hazmat.primitives.hashes.SHA1",
],
"Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
)
sets.append(
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"Crypto.Hash.SHA.new",
"Cryptodome.Hash.MD2.new",
"Cryptodome.Hash.MD4.new",
"Cryptodome.Hash.MD5.new",
"Cryptodome.Hash.SHA.new",
"cryptography.hazmat.primitives.hashes.MD5",
"cryptography.hazmat.primitives.hashes.SHA1",
],
"Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
)
)

sets.append(
utils.build_conf_dict(
Expand Down
22 changes: 1 addition & 21 deletions bandit/plugins/hashlib_insecure_functions.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,6 @@
Added check for the crypt module weak hashes
""" # noqa: E501
import sys

import bandit
from bandit.core import issue
from bandit.core import test_properties as test
Expand Down Expand Up @@ -86,21 +84,6 @@ def _hashlib_func(context, func):
)


def _hashlib_new(context, func):
if func == "new":
args = context.call_args
keywords = context.call_keywords
name = args[0] if args else keywords.get("name", None)
if isinstance(name, str) and name.lower() in WEAK_HASHES:
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
cwe=issue.Cwe.BROKEN_CRYPTO,
text=f"Use of insecure {name.upper()} hash function.",
lineno=context.node.lineno,
)


def _crypt_crypt(context, func):
args = context.call_args
keywords = context.call_keywords
Expand Down Expand Up @@ -135,10 +118,7 @@ def hashlib(context):
func = qualname_list[-1]

if "hashlib" in qualname_list:
if sys.version_info >= (3, 9):
return _hashlib_func(context, func)
else:
return _hashlib_new(context, func)
return _hashlib_func(context, func)

elif "crypt" in qualname_list and func in ("crypt", "mksalt"):
return _crypt_crypt(context, func)
8 changes: 4 additions & 4 deletions doc/source/faq.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,10 @@ Under Which Version of Python Should I Install Bandit?
------------------------------------------------------

The answer to this question depends on the project(s) you will be running
Bandit against. If your project is only compatible with Python 3.8, you
should install Bandit to run under Python 3.8. If your project is only
compatible with Python 3.9, then use 3.9 respectively. If your project supports
both, you *could* run Bandit with both versions but you don't have to.
Bandit against. If your project is only compatible with Python 3.9, you
should install Bandit to run under Python 3.9. If your project is only
compatible with Python 3.10, then use 3.10 respectively. If your project
supports both, you *could* run Bandit with both versions but you don't have to.

Bandit uses the `ast` module from Python's standard library in order to
analyze your Python code. The `ast` module is only able to parse Python code
Expand Down
1 change: 0 additions & 1 deletion setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ classifier =
Operating System :: MacOS :: MacOS X
Programming Language :: Python
Programming Language :: Python :: 3
Programming Language :: Python :: 3.8
Programming Language :: Python :: 3.9
Programming Language :: Python :: 3.10
Programming Language :: Python :: 3.11
Expand Down
2 changes: 1 addition & 1 deletion setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,5 @@
import setuptools

setuptools.setup(
python_requires=">=3.8", setup_requires=["pbr>=2.0.0"], pbr=True
python_requires=">=3.9", setup_requires=["pbr>=2.0.0"], pbr=True
)
92 changes: 12 additions & 80 deletions tests/functional/test_functional.py
Original file line number Diff line number Diff line change
Expand Up @@ -107,36 +107,10 @@ def test_binding(self):

def test_crypto_md5(self):
"""Test the `hashlib.md5` example."""
if sys.version_info >= (3, 9):
expect = {
"SEVERITY": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 16,
"HIGH": 9,
},
"CONFIDENCE": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 25,
},
}
else:
expect = {
"SEVERITY": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 22,
"HIGH": 4,
},
"CONFIDENCE": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 26,
},
}
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 16, "HIGH": 9},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 25},
}
self.check_example("crypto-md5.py", expect)

def test_ciphers(self):
Expand Down Expand Up @@ -197,26 +171,10 @@ def test_hardcoded_tmp(self):

def test_imports_aliases(self):
"""Test the `import X as Y` syntax."""
if sys.version_info >= (3, 9):
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 4, "MEDIUM": 1, "HIGH": 4},
"CONFIDENCE": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 9,
},
}
else:
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 4, "MEDIUM": 5, "HIGH": 0},
"CONFIDENCE": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 9,
},
}
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 4, "MEDIUM": 1, "HIGH": 4},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 9},
}
self.check_example("imports-aliases.py", expect)

def test_imports_from(self):
Expand Down Expand Up @@ -855,36 +813,10 @@ def test_unverified_context(self):

def test_hashlib_new_insecure_functions(self):
"""Test insecure hash functions created by `hashlib.new`."""
if sys.version_info >= (3, 9):
expect = {
"SEVERITY": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 9,
},
"CONFIDENCE": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 9,
},
}
else:
expect = {
"SEVERITY": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 10,
"HIGH": 0,
},
"CONFIDENCE": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 10,
},
}
expect = {
"SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 9},
"CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 9},
}
self.check_example("hashlib_new_insecure_functions.py", expect)

def test_blacklist_pycrypto(self):
Expand Down
2 changes: 1 addition & 1 deletion tox.ini
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tox]
minversion = 3.2.0
envlist = py38,pep8
envlist = py39,pep8

[testenv]
usedevelop = True
Expand Down

0 comments on commit ea7beb4

Please sign in to comment.