search

LLNL / Surfactant

Modular framework for SBOM generation that gathers file information and analyzes dependencies
MIT License
15 stars 13 forks source link

FIPS-compliant OpenSSL does not allow md5 hashing #220

Open nightlark opened 4 weeks ago

nightlark commented 4 weeks ago

hashlib.md5 gives an error on systems with a FIPS-compliant OpenSSL library. At least for Python versions 3.9+, there is a usedforsecurity flag that can be given to hashlib.md5 to make it (hopefully) work on most of those systems.

nightlark commented 4 weeks ago

The specific error it fails with (on a RHEL8 system) is:

Traceback (most recent call last):
  File "/home/mast9/surfactant-docker-scout/surfactant/cmd/generate.py", line 369, in sbom
    sw_parent, sw_children = get_software_entry(
  File "/home/mast9/surfactant-docker-scout/surfactant/cmd/generate.py", line 37, in get_software_entry
    sw_entry = Software.create_software_from_file(filepath)
  File "/home/mast9/surfactant-docker-scout/surfactant/sbomtypes/_software.py", line 73, in create_software_from_file
    file_hashes = calc_file_hashes(filepath)
  File "/home/mast9/surfactant-docker-scout/surfactant/fileinfo.py", line 57, in calc_file_hashes
    md5_hash = md5(usedforsecurity=True)
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS