search

microsoft / react-native-windows

A framework for building native Windows apps with React.
https://microsoft.github.io/react-native-windows/
Other
16.33k stars 1.14k forks source link

Weak cryptography by NodeJS library error #10565

Open jonthysell opened 2 years ago

jonthysell commented 2 years ago

Problem Description

CodeQL reports 1 Weak cryptography by NodeJS library error in the Hash.ts file.

Steps To Reproduce

Link to CodeQL (corpnet-only): https://onees.lgtm.microsoft.com/projects/u/gh/microsoft%2Freact-native-windows%2Ftree%2Fmain/alerts/?mode=tree&ruleFocus=1001395

Expected Results

No response

CLI version

npx react-native --version

Environment

npx react-native info

Target Platform Version

No response

Target Device(s)

No response

Visual Studio Version

No response

Build Configuration

No response

Snack, code example, screenshot, or link to a repository

Source root/packages//src/Hash.ts
1 alert
↑ | 1-51 -- | -- 52 |   53 | constructor(hashOpts?: HashOpts) { 54 | this.hash = crypto.createHash('sha1');   | Weak hash algorithms are banned by the SDL. Switch to a SHA2 based cryptographic hash instead. 55 | this.hashOpts = hashOpts \|\| {}; 56 | } ↓ | 57-106
jonthysell commented 2 years ago

This is in the override package, so I think we'd have to make sure that any current override json files get updated (and I think this would be a breaking change)

jonthysell commented 2 years ago

@chiaramooney Can you verify that if you update this to SHA2 that we can update the override JSON files (which contain those hash results?).

chiaramooney commented 1 year ago

Moving to 72 milestone.

chiaramooney commented 1 year ago

Other work has taken priority bumping to next milestone.

TatianaKapos commented 11 months ago

This has been bumped twice so doesn't seem needed to be in a specific release, do we want to move this to the backlog?