Bandit is not differentiating between pyCrypto and pyCryptodome import

[shashim22]

Describe the bug Bandit is blacklisting import from pyCryptodome thinking it is an import from pyCrypto.

blacklist: The pyCrypto library and its module AES are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library. Test ID: B413 Severity: HIGH Confidence: HIGH

More info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b413-import-pycrypto

To Reproduce Steps to reproduce the behavior: Import AES from pyCrytodome as follows: from Crypto.Cipher import AES

Expected behavior This import shouldn't have been blacklisted as this is an import from white listed library. https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b414-import-pycryptodome

Bandit version 1.6.2

[rogsme]

I'm still finding the same bug almost two years 😞 I'm using the following workaround:

bandit -r core/ -lll -s B413 

I just have to manually confirm that pyCrypto is not installed on my project, which works but kinda defeats the purpose of using bandit in the first place.

[ericwb]

The pyCrytodome library chose to reuse the same namespace as pyCrypto. As a result, I don't know of a way to distinguish the two using static analysis. Bandit is only examining the AST, not requirements/dependencies. But I'm open to suggestions.

[ericwb]

Another workaround is to use pip install pycryptodomex as suggested: https://pycryptodome.readthedocs.io/en/latest/src/introduction.html

As a result, the namespaces will be Cryptodome and not Crypto.

[ericwb]

There's no good way to fix this from Bandit. However, there is a workaround, so closing for now.