Consider removing PyCryptodome from blacklist

Old algorithms are still useful to access, verify and/or import old data (which would be lost otherwise) or interface with old system (say, not so recent embedded hardware).

So, even though I would also like to see only the latest and greatest algorithms being used, I find that approach only works in environments where code updates are cheap and data somewhat volatile (like web services, etc).

Additionally, the threat of people selecting outdated algorithms is probably one order of magnitude less serious than incorrect key generation and management (like using fixed keys and passwords, using bad RNG, storing keys in the clear or not wiping them) or unsafe compositions of otherwise safe algorithms, which are unfortunately more difficult to detect.

All in all, I think it would be more fair for bandit to blacklist individual modules in pycryptodome you feel strongly against (like Crypto.Cipher.DES), as opposed to entire packages. I also just noticed that cryptography too gives you access to weak algorithms (ECB mode, RSAES-PKCS1-v1_5, MD5, SHA1, TDES, etc) but bandit does not warn the user in that case, so that is certainly not showing consistency.

+1. I don’t see why you would blacklist the entire module vs specific unsafe methods and algorithms. Pycryptodome is vastly improved compared to pycrypto, and is an easy transition for systems using pycrypto. Most encryption libraries have some form of support for legacy algorithms, which is just part of the reality of supporting older or legacy systems (as well as migrations from them). It’s definitely worth flagging insecure function usage, but flagging the entire library is an unnecessarily nuclear approach.

EDIT: Also, as related but different isuse, pycryptodome triggers the pycrypto alert when using the Crypto imports (which makes sense)