Cryptography.NonStandard: Pseudorandom number generators are risky

Question

Cryptography.NonStandard: Pseudorandom number generators are risky

mahantsucf opened this issue 3 years ago · 1 comments

mahantsucf commented 3 years ago

Stratos Version

Stratos Version 4.4.0

Frontend Deployment type

Cloud Foundry Application (cf push)
[X ] Kubernetes, using a helm chart
Docker, single container deploying all components
npm run start
Other (please specify below)

Backend (Jet Stream) Deployment type

Cloud Foundry Application (cf push)
Kubernetes, using a helm chart
Docker, single container deploying all components
Other (please specify below)

Expected behavior

When we do an AppScan static scan, the scanning results shouldn’t yield any vulnerabilities.

Actual behavior

We ran Appscan and these vulnerabilities were marked as Low Severity issues.

Steps to reproduce the behavior

AppScan Go: version 0.1.7

Steps

Open Appscan go application

Checkout the code of Stratos : release 4.4.0 (https://github.com/cloudfoundry/stratos.git) in your local machine.

Choose the type of scan i.e. Complete Security Scan

Click on Browse button and browse to the src folder(except test-e2e folder) of the stratos project that you checkout in step 2.

AppScan Go! retrieves appropriate files from the selected folder and lists them for review. No need to change anything on this just click on Continue button.

Click on Create a new scan button ---> Initiate scan : This will initiate the scan process.

When upload to AppScan on Cloud is complete, click the link review the status or results of the scan in the AppScan on Cloud service(there are lots of high severity issue you will see).

Reference : https://help.hcltechsw.com/appscan/ASoC/src_irx_gen_gui.html

Log output covering before error and any error statements

![AppScan_Log](https://user-images.githubusercontent.com/81233158/127614778-227f559d-faeb-48dc-b3e6-8ee3b276a27d.PNG)

Detailed Description

Exact Location where the issue occurs:
src\frontend\packages\core\src\core\utils.service.ts:300
src\frontend\packages\core\src\shared\components\routing-indicator\routing-indicator.component.ts:68

Context

The application uses a non-standard cryptographic algorithm. Cryptographic algorithms are the methods by which data is scrambled.
There are a small number of well understood and heavily studied algorithms that should be used by most applications. It is quite difficult
to produce a secure algorithm, and even high profile algorithms by accomplished cryptographic experts have been broken. The use of a
non-standard algorithm is dangerous because a determined attacker may be able to break the algorithm and compromise whatever
data has been protected.

Possible Implementation

Use only standard cryptographic algorithms such as AES and RSA. For a hash algorithm, SHA-2 is preferred. MD5 is still quite widely
used, although recent research has demonstrated several theoretical weaknesses, and it should therefore be avoided.

Answer 1 · 2021-08-02T10:00:56.000Z

Again, if you took the time to look at the code you'd realise this is not an issue