PyCQA
Inconsistency of `random.Random` detection between different platforms
Describe the bug
The blacklisting module uses fnmatch for matching call names, which results in differing behavior on Windows vs other platforms.
https://github.com/PyCQA/bandit/blob/5809d1bec788f88c88c99afd42b80c58ea876363/bandit/core/blacklisting.py#L58
Particularly, usage of random.random generally results in B311 being emitted:
https://github.com/PyCQA/bandit/blob/5809d1bec788f88c88c99afd42b80c58ea876363/bandit/blacklists/calls.py#L523-L528
Since fnmatch calls os.path.normcase, this blacklist entry also matches random.Random on Windows, but not Linux.
# Windows
> bandit test.py
...
[main] INFO running on Python 3.9.9
Run started:2022-07-09 21:22:28.141846
Test results:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: test.py:2:4
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
1 import random
2 x = random.Random()
...
# Linux
$ bandit test.py
...
[main] INFO running on Python 3.9.9
Run started:2022-07-09 21:15:31.888486
Test results:
No issues identified.
Reproduction steps
Run bandit on the following code on Windows and Linux:
import random
x = random.Random()
Expected behavior
I'm not exactly sure what the correct behavior should be - probably random.Random resulting in B311 on all platforms, not just Windows - but it should be consistent regardless of platform.
Bandit version
1.7.4 (Default)
Python version
3.9
Additional context
No response
