Possible Issue with the Python Parser #331
Description
I have noticed the following issue, after running some tests. I have the following code:
def cryptography_aes_examples():
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
key64 = b"01234567"
key128 = b"0123456789abcdef"
key192 = b"0123456789abcdef01234567"
key256 = b"0123456789abcdef0123456789abcdef"
iv = b"1234567890abcdef"
nonce = b"123456789012"
data = b"hello world!!!!!"
# AES-CBC (invalid 64-bit key — should fail at runtime, but useful for static detection testing)
algo_small = algorithms.AES(key64)
c_small = Cipher(algo_small, modes.CBC(iv))
encryptor_small = c_small.encryptor()
ct_small = encryptor_small.update(data) + encryptor_small.finalize()
# AES-CBC (128-bit)
algo_128 = algorithms.AES(key128)
c_128 = Cipher(algo_128, modes.CBC(iv))
encryptor_128 = c_128.encryptor()
ct_128 = encryptor_128.update(data) + encryptor_128.finalize()
# AES-CBC (192-bit)
algo_192 = algorithms.AES(key192)
c_192 = Cipher(algo_192, modes.CBC(iv))
encryptor_192 = c_192.encryptor()
ct_192 = encryptor_192.update(data) + encryptor_192.finalize()
# AES-CBC (256-bit)
algo_256 = algorithms.AES(key256)
c_256 = Cipher(algo_256, modes.CBC(iv))
encryptor_256 = c_256.encryptor()
ct_256 = encryptor_256.update(data) + encryptor_256.finalize()After scanning the CBOM seems to produce the following output:
"type": "cryptographic-asset",
"bom-ref": "132e7ce1-279f-497f-8118-c75e3f594949",
"name": "AES-CBC",
"evidence": {
"occurrences": [
{
"location": "configs/symmetric-atomic-primitives/tests/aes.py",
"line": 65,
"offset": 14,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes.py",
"line": 71,
"offset": 12,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes.py",
"line": 77,
"offset": 12,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes.py",
"line": 83,
"offset": 12,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes.py",
"line": 90,
"offset": 8,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes.py",
"line": 107,
"offset": 9,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes_key_length.py",
"line": 107,
"offset": 8,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes_key_length.py",
"line": 133,
"offset": 8,
"additionalContext": "Cipher"
},
{
"location": "configs/symmetric-atomic-primitives/tests/aes_key_length.py",
"line": 164,
"offset": 8,
"additionalContext": "Cipher"
}
]
},
"cryptoProperties": {
"assetType": "algorithm",
"algorithmProperties": {
"primitive": "block-cipher",
"parameterSetIdentifier": "128",
"mode": "cbc",
"cryptoFunctions": [
"encrypt"
]
},
"oid": "2.16.840.1.101.3.4.1"
}
},From what I understand, I should use the parameter set identifier to determine what key size I'm using. Here it seems to only detect the 128 key size. Is this supposed to happen?