search

getsentry / sentry-javascript-bundler-plugins

JavaScript Bundler Plugins for Sentry
https://sentry.io
BSD 3-Clause "New" or "Revised" License
142 stars 37 forks source link

'bundler-plugin-core' is incompatible with FIPS 140-2 #618

Closed denver-HJS closed 1 month ago

denver-HJS commented 1 month ago

Environment

Framework: NextJs

MyMacBook % npm list @sentry/nextjs
my-project@1.11.0 /Users/denverb/workspace/my-apps/my-project
└── @sentry/nextjs@8.34.0

CLI version:

MyMacBook % npm list @sentry/cli
my-project@1.11.0 /Users/denverb/workspace/my-apps/my-project
├─┬ @sentry/bundler-plugin-core@2.22.5
│ └── @sentry/cli@2.37.0
└─┬ @sentry/nextjs@8.34.0
  └─┬ @sentry/webpack-plugin@2.22.3
    └─┬ @sentry/bundler-plugin-core@2.22.3
      └── @sentry/cli@2.37.0 deduped

Bundler Plugin Core version: @sentry/bundler-plugin-core@2.22.3 <-- being used by the webpack-plugin

Container base image: Chainguard's node-fips image built with Node v22 (see here) which ships with the OpenSSL FIPS provider.

Steps to Reproduce

  1. Install the latest @sentry/nextjs version
  2. Install the latest @sentry/bundler-plugin-core version
  3. Create a Dockerfile that pulls the Chainguard node-fips image, copies the source files into the image, and runs the NextJs build build command
  4. Run the docker build . command

Expected Result

The NextJs app can be built successfully (whether building in the Docker context or if building on the local host machine running with FIPS mode enabled)

Actual Result

The bundler-plugin-core package causes a Webpack error due to its use of MD5 cryptography, which is not available when running in FIPS mode.

Build Error Note: The warning about the server-side config files is because I updated to the latest Sentry NextJs version as a part of this troubleshooting process, and I have not migrated those to the NextJs middleware file yet. I do plan to once I have this working. ```bash 0.600 ▲ Next.js 14.2.15 0.600 - Environments: .env.local 0.600 - Experiments (use with caution): 0.601 · instrumentationHook 0.601 0.636 Creating an optimized production build ... 0.833 [@sentry/nextjs] It appears you've configured a `sentry.server.config.ts` file. Please ensure to put this file's content into the `register()` function of a Next.js instrumentation hook instead. To ensure correct functionality of the SDK, `Sentry.init` must be called inside `instrumentation.ts`. Learn more about setting up an instrumentation hook in Next.js: https://nextjs.org/docs/app/building-your-application/optimizing/instrumentation. You can safely delete the `sentry.server.config.ts` file afterward. 0.896 [@sentry/nextjs] It appears you've configured a `sentry.edge.config.ts` file. Please ensure to put this file's content into the `register()` function of a Next.js instrumentation hook instead. To ensure correct functionality of the SDK, `Sentry.init` must be called inside `instrumentation.ts`. Learn more about setting up an instrumentation hook in Next.js: https://nextjs.org/docs/app/building-your-application/optimizing/instrumentation. You can safely delete the `sentry.edge.config.ts` file afterward. 2.450 (node:17) [DEP0040] DeprecationWarning: The `punycode` module is deprecated. Please use a userland alternative instead. 2.450 (Use `node --trace-deprecation ...` to show where the warning was created) 20.21 Failed to compile. 20.21 20.21 HookWebpackError: error:0308010C:digital envelope routines::unsupported 20.21 at makeWebpackError (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:312635) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:106060 20.21 at eval (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :122:1) 20.21 at fn (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:69128) 20.21 at Hook.eval [as callAsync] (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :120:1) 20.21 at Hook.CALL_ASYNC_DELEGATE [as _callAsync] (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:26012) 20.21 at cont (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:106006) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:107126 20.21 at symbolIterator (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14444) 20.21 at done (/app/node_modules/next/dist/compiled/neo-async/async.js:1:14824) 20.21 -- inner error -- 20.21 Error: error:0308010C:digital envelope routines::unsupported 20.21 at new Hash (node:internal/crypto/hash:79:19) 20.21 at Object.createHash (node:crypto:139:10) 20.21 at Object.stringToUUID (/app/node_modules/@sentry/webpack-plugin/node_modules/@sentry/bundler-plugin-core/dist/cjs/index.js:592:43) 20.21 at banner (/app/node_modules/@sentry/webpack-plugin/dist/cjs/index.js:157:157) 20.21 at Compilation.getAssetPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127575) 20.21 at Compilation.getPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127386) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:15096 20.21 at fn (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:69107) 20.21 at Hook.eval [as callAsync] (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :120:1) 20.21 at Hook.CALL_ASYNC_DELEGATE [as _callAsync] (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:26012) 20.21 caused by plugins in Compilation.hooks.processAssets 20.21 Error: error:0308010C:digital envelope routines::unsupported 20.21 at new Hash (node:internal/crypto/hash:79:19) 20.21 at Object.createHash (node:crypto:139:10) 20.21 at Object.stringToUUID (/app/node_modules/@sentry/webpack-plugin/node_modules/@sentry/bundler-plugin-core/dist/cjs/index.js:592:43) 20.21 at banner (/app/node_modules/@sentry/webpack-plugin/dist/cjs/index.js:157:157) 20.21 at Compilation.getAssetPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127575) 20.21 at Compilation.getPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127386) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:15096 20.21 at fn (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:69107) 20.21 at Hook.eval [as callAsync] (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :120:1) 20.21 at Hook.CALL_ASYNC_DELEGATE [as _callAsync] (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:26012) 20.21 20.21 HookWebpackError: error:0308010C:digital envelope routines::unsupported 20.21 at makeWebpackError (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:312635) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:106060 20.21 at eval (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :103:1) 20.21 at fn (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:69128) 20.21 at _next0 (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :101:1) 20.21 at eval (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :114:1) 20.21 at eval (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :11:1) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:69383 20.21 at Hook.eval [as callAsync] (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :7:1) 20.21 at Hook.CALL_ASYNC_DELEGATE [as _callAsync] (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:26012) 20.21 -- inner error -- 20.21 Error: error:0308010C:digital envelope routines::unsupported 20.21 at new Hash (node:internal/crypto/hash:79:19) 20.21 at Object.createHash (node:crypto:139:10) 20.21 at Object.stringToUUID (/app/node_modules/@sentry/webpack-plugin/node_modules/@sentry/bundler-plugin-core/dist/cjs/index.js:592:43) 20.21 at banner (/app/node_modules/@sentry/webpack-plugin/dist/cjs/index.js:157:157) 20.21 at Compilation.getAssetPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127575) 20.21 at Compilation.getPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127386) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:15096 20.21 at fn (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:69107) 20.21 at _next0 (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :101:1) 20.21 at eval (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :114:1) 20.21 caused by plugins in Compilation.hooks.processAssets 20.21 Error: error:0308010C:digital envelope routines::unsupported 20.21 at new Hash (node:internal/crypto/hash:79:19) 20.21 at Object.createHash (node:crypto:139:10) 20.21 at Object.stringToUUID (/app/node_modules/@sentry/webpack-plugin/node_modules/@sentry/bundler-plugin-core/dist/cjs/index.js:592:43) 20.21 at banner (/app/node_modules/@sentry/webpack-plugin/dist/cjs/index.js:157:157) 20.21 at Compilation.getAssetPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127575) 20.21 at Compilation.getPath (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:127386) 20.21 at /app/node_modules/next/dist/compiled/webpack/bundle5.js:28:15096 20.21 at fn (/app/node_modules/next/dist/compiled/webpack/bundle5.js:28:69107) 20.21 at _next0 (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :101:1) 20.21 at eval (eval at create (/app/node_modules/next/dist/compiled/webpack/bundle5.js:13:28858), :114:1) 20.21 20.21 20.21 > Build failed because of webpack errors ------ ERROR: failed to solve: process "/bin/sh -c npm run build" did not complete successfully: exit code: 1 ```

Is it possible to eliminate the use of MD5 in favor of some alternative that is FIPS compliant? Perhaps SHA-256 will work just as well in this case?

lforst commented 1 month ago

Hi, thanks for writing in! Just because I have 0 knowledge about FIPS, is doing require('crypto').createHash('sha256').update('.....') okay? If so, we can just change it.

denver-HJS commented 1 month ago

Hi, thanks for writing in! Just because I have 0 knowledge about FIPS, is doing require('crypto').createHash('sha256').update('.....') okay? If so, we can just change it.

Thanks for the quick turn around @lforst! I believe that using sha256 is all that is needed here. Do you have any estimate of when your change will be published as a new version in npm, so that I can test this fix out? 🙏

lforst commented 1 month ago

in this particular package I can cut a release today. Until it propagates to the Next.js SDK it might take until next week. If I publish the new version you could add a npm resolution though.

denver-HJS commented 1 month ago

in this particular package I can cut a release today. Until it propagates to the Next.js SDK it might take until next week. If I publish the new version you could add a npm resolution though.

Thanks @lforst, I will keep an eye out for new versions/watch the releases 👍