Update Pipfile.lock

This updated bandit to 1.7.4. In 1.7.3 check [B303], hash functions, was updated and [B415], IMPI protocol, was added. Hash Function ============= A lower threshold for insecure hash functions was introduced. All offending code places have been updated with `usedforsecurity=False` to make bandit happy. This might have not been ideal in all cases. I'm currently not sure how a change in hashing algorithm would affect back wards compatibility. IMPI Protocol ============== The IMPI protocol is considered insecure. We use it exentsivly in core parts of the code. For now ignore this check. [B303] PyCQA/bandit#748 [B415] PyCQA/bandit#803 Change-Id: Iee36820d152955bbd31e6b21fdd6bbc5b83dbb1c
Checkmk · Mar 7, 2022 · 479a5d0 · 479a5d0
1 parent 16bfa8d
commit 479a5d0
Show file tree

Hide file tree

Showing 6 changed files with 345 additions and 309 deletions.
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/bandit.yaml b/bandit.yaml
@@ -95,6 +95,7 @@ skips:
   # tests. :-/ We should investigate this further at some point...
   - B303
   - B304
+  - B415  # pyghmi is needed by our core
 
 ### (optional) plugin settings - some test plugins require configuration data
 ### that may be given here, per-plugin. All bandit test plugins have a built in
@@ -402,4 +403,3 @@ weak_cryptographic_key:
   weak_key_size_ec_medium: 224
   weak_key_size_rsa_high: 1024
   weak_key_size_rsa_medium: 2048
-
diff --git a/bin/mkbackup b/bin/mkbackup
@@ -448,7 +448,7 @@ def get_files_for_backup_info() -> List[Tuple[str, int, str]]:
 
 
 def file_checksum(path: str) -> str:
-    hash_md5 = md5()
+    hash_md5 = md5(usedforsecurity=False)  # pylint: disable=unexpected-keyword-arg
     with open(path, "rb") as f:
         for chunk in iter(lambda: f.read(4096), b""):
             hash_md5.update(chunk)

diff --git a/cmk/gui/plugins/webapi/utils.py b/cmk/gui/plugins/webapi/utils.py
@@ -102,7 +102,9 @@ def add_configuration_hash(response: dict, configuration_object: dict) -> None:
 def compute_config_hash(entity: Mapping) -> str:
     try:
         entity_encoded = json.dumps(entity, sort_keys=True)
-        entity_hash = md5(entity_encoded.encode()).hexdigest()
+        entity_hash = md5(  # pylint: disable=unexpected-keyword-arg
+            entity_encoded.encode(), usedforsecurity=False
+        ).hexdigest()
     except Exception as e:
         logger.error("Error %s", e)
         entity_hash = "0"

diff --git a/cmk/gui/valuespec.py b/cmk/gui/valuespec.py
@@ -7052,7 +7052,9 @@ def _generate_ssh_key(cls, varprefix: str) -> SSHKeyPairValue:
     def _get_key_fingerprint(cls, value: SSHKeyPairValue) -> str:
         _private_key, public_key = value
         key = base64.b64decode(public_key.strip().split()[1].encode("ascii"))
-        fp_plain = hashlib.md5(key).hexdigest()
+        fp_plain = hashlib.md5(  # pylint: disable=unexpected-keyword-arg
+            key, usedforsecurity=False
+        ).hexdigest()
         return ":".join(a + b for a, b in zip(fp_plain[::2], fp_plain[1::2]))
 
 

diff --git a/cmk/gui/watolib/config_sync.py b/cmk/gui/watolib/config_sync.py
@@ -290,7 +290,10 @@ def is_supported(component: ReplicationPath) -> bool:
 
         # Simply compute the checksum of the sitespecific.mk
         source_path = os.path.join(snapshot_work_dir, custom_components[0].site_path)
-        return hashlib.md5(open(source_path, "rb").read()).hexdigest()
+        return hashlib.md5(  # pylint: disable=unexpected-keyword-arg
+            open(source_path, "rb").read(),
+            usedforsecurity=False,
+        ).hexdigest()
 
 
 class SnapshotCreator(SnapshotCreationBase):