FIPS Compliance
Opened this issue · 1 comments
Describe the bug
I need to modify this tool to be FIPS compliant and I would love to contribute this back to the community. How would the contributors prefer I contribute to a FIPS compliant version of this app? Pull request, new branch, or create my own fork?
To Reproduce
Steps to reproduce the behavior:
- This library depends on the hashlib library and uses md5 as an available has. However, in a FIPS compliant environment, md5 is not available. This results in errors in other apps that depend on this library if this library does not load properly.
Expected behavior
Eliminate failures associated with running in FIPS compliant environments.
Screenshots
N/A
Desktop (please complete the following information):
- OS: RHEL 8
- In this context I am running in a Splunk SOAR App. (DomainTool Iris Investigate)
Additional context
The Iris Investigate app is failing to load because it is not FIPS compliant. Based on what I could see it appears to come down to the fact that this library is packaged within that app and depends on a non-FIPS compliant algorithm (MD5). I would like to contribute a FIPS compliant version back to the community, but would like to follow the guidance from the contributors for this project before doing so.
Hi @Hack3rDan, thanks for your suggestion! I admit I'm not deeply familiar with FIPS compliance. If you could submit a PR with the required changes, we'll review them and see if we can include them in the next release. We need to be mindful that many users still depend on MD5 (for better or worse), so need to preserve that option for backwards-compatibility.