react-native-windows icon indicating copy to clipboard operation
react-native-windows copied to clipboard
verified publisher icon microsoft

Weak cryptography by NodeJS library error

Open jonthysell opened this issue 3 years ago • 2 comments

Problem Description

CodeQL reports 1 Weak cryptography by NodeJS library error in the Hash.ts file.

Steps To Reproduce

Link to CodeQL (corpnet-only): https://onees.lgtm.microsoft.com/projects/u/gh/microsoft%2Freact-native-windows%2Ftree%2Fmain/alerts/?mode=tree&ruleFocus=1001395

Expected Results

No response

CLI version

npx react-native --version

Environment

npx react-native info

Target Platform Version

No response

Target Device(s)

No response

Visual Studio Version

No response

Build Configuration

No response

Snack, code example, screenshot, or link to a repository

Source root/packages//src/Hash.ts
1 alert
1-51
52  
53 constructor(hashOpts?: HashOpts) {
54 this.hash = crypto.createHash('sha1');
  Weak hash algorithms are banned by the SDL. Switch to a SHA2 based cryptographic hash instead.
55 this.hashOpts = hashOpts || {};
56 }
57-106

jonthysell avatar Sep 13 '22 17:09 jonthysell

This is in the override package, so I think we'd have to make sure that any current override json files get updated (and I think this would be a breaking change)

jonthysell avatar Sep 13 '22 17:09 jonthysell

@chiaramooney Can you verify that if you update this to SHA2 that we can update the override JSON files (which contain those hash results?).

jonthysell avatar Sep 15 '22 18:09 jonthysell

Moving to 72 milestone.

chiaramooney avatar Nov 15 '22 20:11 chiaramooney

Other work has taken priority bumping to next milestone.

chiaramooney avatar Mar 28 '23 18:03 chiaramooney

This has been bumped twice so doesn't seem needed to be in a specific release, do we want to move this to the backlog?

TatianaKapos avatar Dec 09 '23 00:12 TatianaKapos