mcp-server-semgrep/semgrep-rules/python/pycryptodome/security/insecure-cipher-algorithm-des.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: insecure-cipher-algorithm-des
  message: >-
    Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm
    is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead.
    Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits.
    When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.
  metadata:
    source-rule-url: https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/blacklists/calls.py#L84
    cwe:
    - 'CWE-327: Use of a Broken or Risky Cryptographic Algorithm'
    owasp:
    - A03:2017 - Sensitive Data Exposure
    - A02:2021 - Cryptographic Failures
    bandit-code: B304
    references:
    - https://cwe.mitre.org/data/definitions/326.html
    - https://www.pycryptodome.org/src/cipher/cipher
    category: security
    technology:
    - pycryptodome
    subcategory:
    - vuln
    likelihood: LOW
    impact: MEDIUM
    confidence: HIGH
    functional-categories:
    - crypto::search::symmetric-algorithm::pycryptodome
    - crypto::search::symmetric-algorithm::pycryptodomex
  options:
    symbolic_propagation: true
  severity: WARNING
  languages:
  - python
  pattern-either:
  - pattern: Cryptodome.Cipher.DES.new(...)
  - pattern: Crypto.Cipher.DES.new(...)
  - pattern: Cryptodome.Cipher.DES3.new(...)
  - pattern: Crypto.Cipher.DES3.new(...)