Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-evaluate gosec error about using "weak cryptographic primitive" #4759

Closed
bogdandrutu opened this issue Mar 28, 2020 · 7 comments · Fixed by #19779 or #22831
Closed

Re-evaluate gosec error about using "weak cryptographic primitive" #4759

bogdandrutu opened this issue Mar 28, 2020 · 7 comments · Fixed by #19779 or #22831
Labels
bug Something isn't working help wanted Extra attention is needed priority:p3 Lowest processor/attributes Attributes processor processor/resource Resource processor

Comments

@bogdandrutu
Copy link
Member

crypto/sha1 is imported in processor/processorhelper/hasher.go and some tests, and we suppress the warning from Gosec about it being a weak cryptographic primitive. We should document why SHA1 is appropriate (e.g. it's part of an external specification), or switch to something else.

[/Users/lazy/github/opentelemetry-collector/processor/attributesprocessor/attribute_hasher.go:18] - G505 (CWE-327): Blacklisted import crypto/sha1: weak cryptographic primitive (Confidence: HIGH, Severity: MEDIUM)
  > "crypto/sha1"


[/Users/lazy/github/opentelemetry-collector/processor/attributesprocessor/attribute_hasher.go:61] - G401 (CWE-326): Use of weak cryptographic primitive (Confidence: HIGH, Severity: MEDIUM)
  > sha1.New()
@bogdandrutu bogdandrutu transferred this issue from open-telemetry/opentelemetry-collector Aug 20, 2021
@evan-bradley
Copy link
Contributor

SHA-1 is still used in internal/coreinternal/attraction/hasher.go, which is used for the hash action by both the attributes processor and the resource processor.

@evan-bradley evan-bradley added bug Something isn't working help wanted Extra attention is needed priority:p3 Lowest processor/attributes Attributes processor processor/resource Resource processor labels Sep 13, 2022
@github-actions
Copy link
Contributor

Pinging code owners: @dmitryax. See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions
Copy link
Contributor

Pinging code owners: @boostchicken. See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions
Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label Nov 14, 2022
@dmitryax dmitryax removed the Stale label Nov 14, 2022
@github-actions
Copy link
Contributor

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@github-actions github-actions bot added the Stale label Jan 16, 2023
@github-actions
Copy link
Contributor

This issue has been closed as inactive because it has been stale for 120 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 17, 2023
@dmitryax dmitryax reopened this Mar 17, 2023
@atoulme
Copy link
Contributor

atoulme commented Mar 18, 2023

Can we move to sha2-256?

@atoulme atoulme mentioned this issue Mar 18, 2023
Merged
codeboten pushed a commit that referenced this issue Mar 24, 2023
@atoulme
replace sha1 with sha2-256 (#19779)
024a11c 
Stop using sha-1, a deprecated hashing algorithm which triggers security reports, and use sha2-256 instead.

Link to tracking Issue:
Fixes #4759 and #5576
@atoulme atoulme mentioned this issue May 26, 2023
Merged
@atoulme atoulme mentioned this issue Sep 6, 2023
Merged
dmitryax pushed a commit that referenced this issue Sep 7, 2023
@atoulme
[internal/coreinternal] Transition featuregate `coreinternal.attracti…
9fc2a71 
…on.hash.sha256` to stable (#26493)

**Description:** 
Transition featuregate `coreinternal.attraction.hash.sha256` to stable

**Link to tracking Issue:**
#4759
@github-actions github-actions bot mentioned this issue Nov 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed priority:p3 Lowest processor/attributes Attributes processor processor/resource Resource processor
Projects
None yet
Milestone
No milestone
4 participants
@atoulme @bogdandrutu @dmitryax @evan-bradley