[BUG]: IAST False-positive detection for weak hashes when using `usedforsecurity=False`

[miketheman]

Tracer Version(s)

3.11.1

Python Version(s)

Python 3.13.5

Pip Version(s)

pip 25.0.1

Bug Report

IAST false positive detection on hashlib methods when explicitly setting usedforsecurity=False which is meant to convey that these calls are explicitly not used for cryptographic functions, and alleviate the need to alert on usage.

The fix likely should live somewhere in here: https://github.com/DataDog/dd-trace-py/blob/3cf3342a005c1ef9e345d2a82a631bc827c8617a/ddtrace/appsec/_iast/taint_sinks/weak_hash.py

Reproduction Code

import hashlib


def _hash(email: str | None) -> str:
    if email is None:
        email = ""

    return hashlib.md5(
        email.strip().lower().encode("utf8"), usedforsecurity=False
    ).hexdigest()

(source: https://github.com/pypi/warehouse/blob/7824278cbacdef927159c42836cb9e2af198fe85/warehouse/utils/gravatar.py#L12 )

Error Logs

n/a

Libraries in Use

alembic==1.16.4
alembic-postgresql-enum==1.8.0
amqp==5.3.1
annotated-types==0.7.0
argon2-cffi==25.1.0
argon2-cffi-bindings==21.2.0
asn1crypto==1.5.1
asttokens==3.0.0
asyncudp==0.11.0
attrs==25.3.0
Automat==25.4.16
b2sdk==2.9.4
babel==2.17.0
bcrypt==4.3.0
beautifulsoup4==4.13.4
betterproto==2.0.0b6
billiard==4.2.1
black==25.1.0
boto3==1.37.11
boto3-stubs==1.37.11
botocore==1.37.11
botocore-stubs==1.37.11
build==1.2.2.post1
bytecode==0.16.2
cachetools==5.5.2
cattrs==25.1.1
cbor2==5.6.5
celery==5.5.3
celery-redbeat==2.3.3
celery-types==0.23.0
certifi==2025.7.14
cffi==1.17.1
charset-normalizer==3.4.2
click==8.2.1
click-didyoumean==0.3.1
click-plugins==1.1.1.2
click-repl==0.3.0
cmarkgfm==2024.11.20
colorama==0.4.6
coverage==7.6.12
cryptography==44.0.3
cssbeautifier==1.15.4
cssselect==1.3.0
cssutils==2.11.1
datadog==0.52.0
ddtrace==3.11.1
decorator==5.2.1
Deprecated==1.2.18
disposable-email-domains==0.0.129
djlint==1.36.4
dnspython==2.7.0
docutils==0.21.2
EditorConfig==0.17.1
email_validator==2.2.0
envier==0.6.1
Events==0.5
execnet==2.1.1
executing==2.2.0
factory_boy==3.3.3
Faker==37.4.2
filelock==3.18.0
flake8==7.3.0
flake8-plugin-utils==1.3.3
flake8-pytest-style==2.1.0
forcediphttpsadapter==1.1.0
freezegun==1.5.3
github_reserved_names==2024.11.1
google-api-core==2.25.1
google-auth==2.40.3
google-cloud-bigquery==3.35.1
google-cloud-core==2.4.3
google-cloud-storage==3.2.0
google-crc32c==1.7.1
google-resumable-media==2.7.2
googleapis-common-protos==1.70.0
greenlet==3.2.3
grpcio==1.74.0
grpcio-status==1.74.0
grpclib==0.4.8
gunicorn==23.0.0
h2==4.2.0
hiredis==3.2.1
hpack==4.1.0
html5lib==1.1
humanize==4.12.3
hupper==1.12.1
hyperframe==6.1.0
icdiff==2.0.7
id==1.5.0
idna==3.10
importlib_metadata==8.7.0
iniconfig==2.1.0
ipython==9.4.0
ipython_pygments_lexers==1.1.1
isodate==0.7.2
isort==6.0.1
itsdangerous==2.2.0
jedi==0.19.2
Jinja2==3.1.6
jmespath==1.0.1
jsbeautifier==1.15.4
json5==0.12.0
jsonschema==4.25.0
jsonschema-path==0.3.4
jsonschema-specifications==2025.4.1
kombu==5.5.4
lazy-object-proxy==1.11.0
legacy-cgi==2.6.3
limits==5.4.0
linehaul==1.0.2
logfury==1.0.1
lxml==5.3.2
Mako==1.3.10
markdown-it-py==3.0.0
MarkupSafe==3.0.2
matplotlib-inline==0.1.7
mccabe==0.7.0
mdurl==0.1.2
mirakuru==2.6.1
more-itertools==10.7.0
msgpack==1.1.1
msgpack-types==0.5.0
multidict==6.6.3
mypy==1.16.1
mypy-zope==1.0.13
mypy_extensions==1.1.0
natsort==8.4.0
nh3==0.3.0
openapi-core==0.19.5
openapi-schema-validator==0.6.3
openapi-spec-validator==0.7.2
opensearch-py==3.0.0
opentelemetry-api==1.36.0
orjson==3.11.1
packaging==25.0
packaging-legacy==23.0.post0
paginate==0.5.7
paginate-sqlalchemy==0.3.1
parse==1.20.2
parso==0.8.4
passlib==1.7.4
PasteDeploy==3.1.0
pathable==0.4.4
pathspec==0.12.1
pep8-naming==0.15.1
pexpect==4.9.0
pip-api==0.0.34
pip-tools==7.4.1
plaster==1.1.2
plaster-pastedeploy==1.0.1
platformdirs==4.3.8
pluggy==1.6.0
polib==1.2.0
port-for==0.7.4
pprintpp==0.4.0
premailer==3.10.0
pretend==1.0.9
prompt_toolkit==3.0.51
proto-plus==1.26.1
protobuf==6.31.1
psutil==7.0.0
psycopg==3.2.9
psycopg-binary==3.2.9
ptyprocess==0.7.0
pure_eval==0.2.3
pyasn1==0.6.1
pyasn1_modules==0.4.2
pycodestyle==2.14.0
pycparser==2.22
pydantic==2.11.7
pydantic_core==2.33.2
pyflakes==3.4.0
Pygments==2.19.2
PyJWT==2.10.1
pymacaroons==0.13.0
PyNaCl==1.5.0
pyOpenSSL==25.1.0
pyparsing==3.2.3
pypi-attestations==0.0.27
pyproject_hooks==1.2.0
pyqrcode-binary==1.2.1
pyramid==2.0.2
pyramid-mailer==0.15.1
pyramid-mako==1.1.0
pyramid-redirect==0.4
pyramid-retry==2.1.1
pyramid-rpc==0.8
pyramid-services==2.2
pyramid_debugtoolbar==4.12.1
pyramid_jinja2==2.10.1
pyramid_openapi3==0.21.0
pyramid_tm==2.6
pytest==8.4.1
pytest-icdiff==0.9
pytest-mock==3.14.1
pytest-postgresql==7.0.2
pytest-randomly==3.16.0
pytest-socket==0.7.0
pytest-sugar==1.0.0
pytest-xdist==3.8.0
python-dateutil==2.9.0.post0
python-slugify==8.0.4
pytz==2025.2
pyupgrade==3.20.0
PyYAML==6.0.2
readme_renderer==44.0
redis==5.2.1
referencing==0.36.2
regex==2024.11.6
repoze.sendmail==4.4.1
requests==2.32.4
requests-aws4auth==1.3.1
requests-file==2.1.0
responses==0.25.7
rfc3161-client==1.0.3
rfc3339-validator==0.1.4
rfc3986==2.0.0
rfc8785==0.1.4
rich==14.1.0
rpds-py==0.26.0
rsa==4.9.1
s3transfer==0.11.5
securesystemslib==1.3.0
sentry-sdk==2.34.0
setuptools==80.9.0
sigstore==3.6.4
sigstore-protobuf-specs==0.3.2
sigstore-rekor-types==0.0.18
six==1.17.0
soupsieve==2.7
sphinx-lint==1.0.0
SQLAlchemy==2.0.42
stack-data==0.6.3
stdlib-list==0.11.1
stripe==11.6.0
structlog==25.4.0
tenacity==9.1.2
termcolor==3.1.0
text-unidecode==1.3
tldextract==5.3.0
tokenize_rt==6.2.0
tqdm==4.67.1
traitlets==5.14.3
transaction==5.0
translationstring==1.4
trove-classifiers==2025.5.9.12
tuf==6.0.0
types-awscrt==0.27.4
types-babel==2.11.0.15
types-certifi==2021.10.8.3
types-cffi==1.17.0.20250523
types-first==2.0.5.20240806
types-html5lib==1.1.11.20250708
types-itsdangerous==1.1.6
types-passlib==1.7.7.20250602
types-pyOpenSSL==24.1.0.20240722
types-python-slugify==8.0.2.20240310
types-pytz==2025.2.0.20250516
types-redis==4.6.0.20241004
types-requests==2.32.4.20250611
types-s3transfer==0.13.0
types-setuptools==80.9.0.20250529
types-stripe==3.5.2.20240106
types-WebOb==1.8.0.20250703
types-WTForms==3.2.1.20250602
types-zxcvbn==4.5.0.20250223
typing-inspection==0.4.1
typing_extensions==4.14.1
tzdata==2025.2
ua-parser==1.0.1
ua-parser-builtins==0.18.0.post1
urllib3==2.5.0
venusian==3.1.1
vine==5.1.0
waitress==3.0.2
watchdog==6.0.0
wcwidth==0.2.13
webauthn==2.6.0
webencodings==0.5.1
WebOb==1.8.9
WebTest==3.0.6
Werkzeug==3.1.1
wheel==0.45.1
whitenoise==6.9.0
wired==0.4
wrapt==1.17.2
WTForms==3.2.1
xmltodict==0.14.2
zipp==3.23.0
zope.deprecation==5.1
zope.event==5.1.1
zope.interface==7.2
zope.schema==7.0.1
zope.sqlalchemy==3.1
zxcvbn==4.5.0

Operating System

No response

[miketheman]

Docs reference: https://docs.python.org/3/library/hashlib.html#:~:text=Changed%20in%20version,way%20compression%20function.

[avara1986]

Thanks @miketheman for reporting this issue! Reducing false positives in the IAST product is on our roadmap for this quarter 👍 we’ll keep you updated on our progress through this issue! 👌