python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size
semgrep
Author
6,591
Download Count*
License
Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.
Run Locally
Run in CI
Defintion
rules:
- id: insufficient-dsa-key-size
patterns:
- pattern-either:
- pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key(...,
key_size=$SIZE, ...)
- pattern: cryptography.hazmat.primitives.asymmetric.dsa.generate_private_key($SIZE,
...)
- metavariable-comparison:
metavariable: $SIZE
comparison: $SIZE < 2048
- focus-metavariable: $SIZE
fix: |
2048
message: Detected an insufficient key size for DSA. NIST recommends a key size
of 2048 or higher.
metadata:
cwe:
- "CWE-326: Inadequate Encryption Strength"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
source-rule-url: https://github.com/PyCQA/bandit/blob/b1411bfb43795d3ffd268bef17a839dee954c2b1/bandit/plugins/weak_cryptographic_key.py
references:
- https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf
- https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
category: security
technology:
- cryptography
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
functional-categories:
- crypto::search::key-length::cryptography
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
languages:
- python
severity: WARNING
Examples
insufficient-dsa-key-size.py
from cryptography.hazmat import backends
from cryptography.hazmat.primitives.asymmetric import dsa
# ok: insufficient-dsa-key-size
dsa.generate_private_key(key_size=2048,
backend=backends.default_backend())
# ok: insufficient-dsa-key-size
dsa.generate_private_key(2048,
backend=backends.default_backend())
# ruleid: insufficient-dsa-key-size
dsa.generate_private_key(key_size=1024,
backend=backends.default_backend())
# ruleid: insufficient-dsa-key-size
dsa.generate_private_key(1024,
backend=backends.default_backend())
Short Link: https://sg.run/5Qb0