python.cryptography.security.insecure-cipher-mode-ecb.insecure-cipher-mode-ecb

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,223
Download Count*
LGPL Commons Clause
License

Detected ECB cipher mode which is considered insecure. The algorithm can potentially leak information about the plaintext. Use CBC mode instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insecure-cipher-mode-ecb
    pattern: cryptography.hazmat.primitives.ciphers.modes.ECB(...)
    message: Detected ECB cipher mode which is considered insecure. The algorithm
      can potentially leak information about the plaintext. Use CBC mode
      instead.
    metadata:
      source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L101
      cwe:
        - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      bandit-code: B305
      references:
        - https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption
      category: security
      technology:
        - cryptography
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - python

Examples

insecure-cipher-mode-ecb.py

# cf. https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/examples/cipher-modes.py

from cryptography.hazmat.primitives.ciphers.modes import CBC
from cryptography.hazmat.primitives.ciphers.modes import ECB


# Insecure mode
# ruleid: insecure-cipher-mode-ecb
mode = ECB(iv)

# Secure cipher and mode
# ok: insecure-cipher-mode-ecb
cipher = AES.new(key, blockalgo.MODE_CTR, iv)

# Secure mode
# ok: insecure-cipher-mode-ecb
mode = CBC(iv)