ibm-cos-sdk-js is not fips compliant because it uses crypto-browserify

[HMhamedminaee]

Hi

we are using ibm-cos-sdk-js and we are required to be fips compliant but this library (ibm-cos-sdk-js) is blocking us as ibm-cos-sdk-js uses crypto-browserify which is not fips compliant. Do you have any timeline or approach to fix this issue?

For more info as why crypto-browserify is non fips compiant which consequently makes ibm-cos-sdk-js non fips compliant as well: https://www.npmjs.com/package/crypto-browserify The goal of this module is to reimplement node's crypto module, in pure javascript so that it can run in the browser. Thanks

[arnabm28]

We have an internal ticket for this issue.

[linchiah]

@arnabm28 Hi, just want to follow up on this issue. Has it been addressed? Thanks.

[arnabm28]

Hi,

This is part of our backlog item. Unfortunately this is currently not part of our current roadmap and release. So this continues to be part of the backlog items.

Thanks.

[remansour]

@arnabm28 We (IBM Cloud Console) have 12 UI microservices importing your package and it is now being flagged by Prisma Cloud (Twistlock) as Configuration issues that we need to remediate.

The IBM Cloud Policy requires every service to be using Prisma Cloud for scanning in the Production and non-production environments. Having these reported as findings will cause additional compliance complications and failures.

Can you provide an ETA on when this will be resolved?

[toeikmei]

@arnabm28 additionally the subdependency browserify-sign of crypto-browserify is now flagged to contain a security vulnerability with the severity high: https://github.com/advisories/GHSA-x9w5-v3q2-3rhw

Since crypto-browserify is not maintained anymore I guess you need to replace the whole module. As @remansour asked is there an ETA?

[IBMalok]

@toeikmei regarding- vulnerability https://github.com/advisories/GHSA-x9w5-v3q2-3rhw The browserify-sign dependency package is always downloaded to the latest version(in this case - 4.2.2) because we don’t specify any particular versions for the browserify-sign. Thus, there’s no fix needed.

We are looking for an alternative to crypto-browserify and we are not in a position to provide an ETA at this time.

[remansour]

@IBMalok Can you give an indication on the progress on this issue?

[IBMalok]

@remansour A quick update: The team is addressing the issue and making the necessary changes to fix it. Most likely, we will have deliveries by the middle of Q2.

[IBMalok]

@HMhamedminaee @linchiah @toeikmei @remansour Provided the fix in 1.13.4, please verify and close it.

[IBMalok]

Closing as fix already provided.