Blacklist call B309 not relevant any longer #857
Labels
bug
Something isn't working
Comments
ericwb
added a commit
that referenced
this issue
Mar 19, 2022
This check existed because of insufficient checking of certificates when using httpsconnection. Since 3.4.3, this has been fixed. And since Bandit supports 3.7+, there is no longer a need to scan for this. Closes #857 Signed-off-by: Eric Brown <browne@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
B309 blacklist call checks for HTTPSConnection usage which was insecure in Python version prior to 2.7.9 and 3.4.3 because it didn't check certificate or hostnames. However, Bandit only supports a minimum of Python 3.7 now.
https://docs.python.org/3.5/library/http.client.html#http.client.HTTPSConnection
Reproduction steps
1. See https://docs.python.org/3.5/library/http.client.html#http.client.HTTPSConnection 2. Notice the comments in https://github.com/PyCQA/bandit/blob/main/bandit/blacklists/calls.py#L492 on versions affected.Expected behavior
I expect there is no longer a need for this check.
Bandit version
1.7.4 (Default)
Python version
3.10 (Default)
Additional context
No response
The text was updated successfully, but these errors were encountered: