mcp-server-semgrep/semgrep-rules/python/pycryptodome/security/insecure-cipher-algorithm-blowfish.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: insecure-cipher-algorithm-blowfish
  message: >-
    Detected Blowfish cipher algorithm which is considered insecure. This algorithm
    is not cryptographically secure and can be reversed easily.
    Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits.
    When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.
  metadata:
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
    cwe:
    - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    owasp:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures
    bandit-code: B304
    references:
    - https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption
    - https://www.pycryptodome.org/src/cipher/cipher
    category: security
    technology:
    - pycryptodome
    subcategory:
    - vuln
    likelihood: LOW
    impact: MEDIUM
    confidence: HIGH
    functional-categories:
    - crypto::search::symmetric-algorithm::pycryptodome
    - crypto::search::symmetric-algorithm::pycryptodomex
  options:
    symbolic_propagation: true
  severity: WARNING
  languages:
  - python
  pattern-either:
  - pattern: Cryptodome.Cipher.Blowfish.new(...)
  - pattern: Crypto.Cipher.Blowfish.new(...)