python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size

profile photo of semgrepsemgrep
Author
6,591
Download Count*
LGPL Commons Clause
License

Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: insufficient-dsa-key-size
    patterns:
      - pattern-either:
          - pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key(...,
              key_size=$SIZE, ...)
          - pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key($SIZE,
              ...)
      - metavariable-comparison:
          metavariable: $SIZE
          comparison: $SIZE < 2048
      - focus-metavariable: $SIZE
    fix: |
      2048
    message: Detected an insufficient key size for DSA. NIST recommends a key size
      of 2048 or higher.
    metadata:
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
      references:
        - https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf
        - https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/
        - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
      category: security
      technology:
        - cryptography
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      functional-categories:
        - crypto::search::key-length::cryptography
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - python
    severity: WARNING

Examples

insufficient-dsa-key-size.py

from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric import dsa

# ok: insufficient-dsa-key-size
dsa.generate_private_key(key_size=2048,
                         backend=backends.default_backend())

# ok: insufficient-dsa-key-size
dsa.generate_private_key(2048,
                         backend=backends.default_backend())

# ruleid: insufficient-dsa-key-size
dsa.generate_private_key(key_size=1024,
                         backend=backends.default_backend())

# ruleid: insufficient-dsa-key-size
dsa.generate_private_key(1024,
                         backend=backends.default_backend())