Update OSS Python cryptography rules (#3260)

python/cryptography/security/empty-aes-key.yaml

@@ -1,6 +1,7 @@
 rules:
 - id: empty-aes-key
-  message: Potential empty AES encryption key. Using an empty key in AES encryption
+  message: >-
+    Potential empty AES encryption key. Using an empty key in AES encryption
     can result in weak encryption and may allow attackers to easily decrypt sensitive
     data. Ensure that a strong, non-empty key is used for AES encryption.
   patterns:
@@ -16,12 +17,17 @@ rules:
     - https://cwe.mitre.org/data/definitions/327.html
     - https://cwe.mitre.org/data/definitions/310.html
     category: security
-    technology:
-    - python
     subcategory:
     - vuln
     likelihood: MEDIUM
     impact: HIGH
     confidence: MEDIUM
     license: Commons Clause License Condition v1.0[LGPL-2.1-only]
     owasp: A6:2017 misconfiguration
+    functional-categories:
+    - crypto::search::key-length::pycrypto
+    - crypto::search::key-length::pycryptodome
+    technology:
+    - python
+    - pycrypto
+    - pycryptodome

python/cryptography/security/insecure-cipher-algorithms-arc4.yaml

@@ -2,8 +2,9 @@ rules:
 - id: insecure-cipher-algorithm-arc4
   pattern: cryptography.hazmat.primitives.ciphers.algorithms.ARC4(...)
   message: >-
-    Detected ARC4 cipher algorithm which is considered insecure. The algorithm is
-    considered weak and has been deprecated. Use AES instead.
+    ARC4 (Alleged RC4) is a stream cipher with serious weaknesses in its initial stream output. 
+    Its use is strongly discouraged. ARC4 does not use mode constructions.
+    Use a strong symmetric cipher such as EAS instead.
   metadata:
     source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
     cwe:
@@ -13,7 +14,7 @@ rules:
     - A02:2021 - Cryptographic Failures
     bandit-code: B304
     references:
-    - https://tools.ietf.org/html/rfc5469
+    - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers
     category: security
     technology:
     - cryptography
@@ -22,6 +23,8 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::symmetric-algorithm::cryptography
   severity: WARNING
   languages:
   - python

python/cryptography/security/insecure-cipher-algorithms-blowfish.yaml

@@ -2,8 +2,8 @@ rules:
 - id: insecure-cipher-algorithm-blowfish
   pattern: cryptography.hazmat.primitives.ciphers.algorithms.Blowfish(...)
   message: >-
-    Detected Blowfish cipher algorithm which is considered insecure. The algorithm is
-    considered weak and has been deprecated. Use AES instead.
+    Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. 
+    The author has recommended that users of Blowfish move to newer algorithms such as AES.
   metadata:
     source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
     cwe:
@@ -13,6 +13,7 @@ rules:
     - A02:2021 - Cryptographic Failures
     bandit-code: B304
     references:
+    - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers
     - https://tools.ietf.org/html/rfc5469
     category: security
     technology:
@@ -22,6 +23,8 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::symmetric-algorithm::cryptography
   severity: WARNING
   languages:
   - python

python/cryptography/security/insecure-cipher-algorithms.yaml

@@ -2,8 +2,10 @@ rules:
 - id: insecure-cipher-algorithm-idea
   pattern: cryptography.hazmat.primitives.ciphers.algorithms.IDEA(...)
   message: >-
-    Detected IDEA cipher algorithm which is considered insecure. The algorithm is
-    considered weak and has been deprecated. Use AES instead.
+    IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. 
+    It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. 
+    It is recommended that you do not use this cipher for new applications.
+    Use a strong symmetric cipher such as EAS instead.
   metadata:
     source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L98
     cwe:
@@ -14,6 +16,7 @@ rules:
     bandit-code: B304
     references:
     - https://tools.ietf.org/html/rfc5469
+    - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA
     category: security
     technology:
     - cryptography
@@ -22,6 +25,8 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::symmetric-algorithm::cryptography
   severity: WARNING
   languages:
   - python

python/cryptography/security/insecure-cipher-mode-ecb.yaml

@@ -2,8 +2,10 @@ rules:
 - id: insecure-cipher-mode-ecb
   pattern: cryptography.hazmat.primitives.ciphers.modes.ECB(...)
   message: >-
-    Detected ECB cipher mode which is considered insecure. The algorithm can
-    potentially leak information about the plaintext. Use CBC mode instead.
+    ECB (Electronic Code Book) is the simplest mode of operation for block ciphers. 
+    Each block of data is encrypted in the same way. 
+    This means identical plaintext blocks will always result in identical ciphertext blocks, which can leave significant patterns in the output.
+    Use a different, more secure mode instead.
   metadata:
     source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101
     cwe:
@@ -13,6 +15,7 @@ rules:
     - A02:2021 - Cryptographic Failures
     bandit-code: B305
     references:
+    - https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#insecure-modes
     - https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption
     category: security
     technology:
@@ -22,6 +25,8 @@ rules:
     likelihood: LOW
     impact: LOW
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::mode::cryptography
   severity: WARNING
   languages:
   - python

python/cryptography/security/insecure-hash-algorithms-md5.yaml

@@ -14,6 +14,7 @@ rules:
     - A02:2021 - Cryptographic Failures
     bandit-code: B303
     references:
+    - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#md5
     - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
     - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability
     - http://2012.sharcs.org/slides/stevens.pdf
@@ -26,6 +27,8 @@ rules:
     likelihood: LOW
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::symmetric-algorithm::cryptography
   severity: WARNING
   languages:
   - python

python/cryptography/security/insecure-hash-algorithms.yaml

@@ -22,6 +22,7 @@ rules:
     - A02:2021 - Cryptographic Failures
     bandit-code: B303
     references:
+    - https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1
     - https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
     - https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability
     - http://2012.sharcs.org/slides/stevens.pdf
@@ -34,6 +35,8 @@ rules:
     likelihood: LOW
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::symmetric-algorithm::cryptography
   severity: WARNING
   languages:
   - python

python/cryptography/security/insufficient-dsa-key-size.yaml

@@ -19,6 +19,8 @@ rules:
     - A02:2021 - Cryptographic Failures
     source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
     references:
+    - https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf
+    - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/
     - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
     category: security
     technology:
@@ -28,5 +30,7 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::key-length::cryptography
   languages: [python]
   severity: WARNING

python/cryptography/security/insufficient-ec-key-size.yaml

@@ -33,5 +33,7 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::key-length::cryptography
   languages: [python]
   severity: WARNING

python/cryptography/security/insufficient-rsa-key-size.yaml

@@ -19,6 +19,7 @@ rules:
     - A02:2021 - Cryptographic Failures
     source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
     references:
+    - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/
     - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
     category: security
     technology:
@@ -28,5 +29,7 @@ rules:
     likelihood: MEDIUM
     impact: MEDIUM
     confidence: MEDIUM
+    functional-categories:
+    - crypto::search::key-length::cryptography
   languages: [python]
   severity: WARNING