Security Vulnerability pick up by Fortify Scan
nekyouto opened this issue · 2 comments
Describe the bug
We were performing a scan on the uuid Javascript library and the Fortify application has picked up the following items that are discovered as vulnerabilities.
(Reason being our project has imported this library as a dependency and part of our deliverable would requires the scanning of the full source code and identify/remove the vulnerable.)
(Low) Weak Cryptographic Hash
No of items picked by the Fortify Scan: 1
Kindly refer to the following image, scanImage1.png
Do give us a heads up on when the team is planning to fix these vulnerabilities and/or the possible workarounds to prevent the same items to be picked up by the Fortify Scans again.
Expected behavior
No Security Vulnerability
SHA1 is being used to generate UUID v5 ids, and we cannot change that algorithm since it's in the specification...
Not sure if there is any reasonable action we can take here, and I'm also surprised that your tool didn't pick up the MD5 algorithm which is even weaker...
Do give us a heads up on when the team is planning to fix these vulnerabilities and/or the possible workarounds to prevent the same items to be picked up by the Fortify Scans again.
This issue won't be fixed in the foreseeable future. As @LinusU says, the use of SHA1 and MD5 are part of RFC4122. See versions 3 and 5, here. Until the spec is revised, we'll continue to support SHA-1 namespace UUIDs.
(FWIW: Spec revision efforts tend to be years-long, tedious processes, and I'm not aware of any activity around RFC4122 in this regard, so I don't see this situation changing anytime soon.)
@nekyouto: I'm not sure how/why you're running Fortify scans on this library but this library is designed such that tree-shaking bundlers will remove unused code. If you're running this scan on a specific application codebase, consider scanning the bundled code. It may be that the v5() routine is not used and, thus, won't appear.