1

we use the following lib

import "crypto/sha1"

while running golangci-lint we got the following errors :

G505: Blocklisted import crypto/sha1: weak cryptographic primitive (gosec) for "crypto/sha1"


 G401: Use of weak cryptographic primitive (gosec)
        sha := sha1.New()

Is there is something that I can do without excluding them? not sure that I understand those issues. if it was not related to security it's simple tasks to exclude ...

update

what we are doing is

fdrContent, err := ioutil.ReadFile(filepath.Join(path))
// gets the hashcode of the FDR file
h := sha1.New()
code, err := h.Write(fdrContent)
return code, err
Rayn D
  • 579
  • 1
  • 13
  • 29
  • 3
    Check why you are using it and whether security is a concern for that specific use case. If it is, use something else. Without more info, we can't tell. – Marc Sep 06 '20 at 12:20
  • @Marc - but Im not sure what is the problem, I need to know it before Im changing to something else :) – Rayn D Sep 06 '20 at 13:10
  • The problem is that `sha1` is considered pretty broken (see the [wikipedia page](https://en.wikipedia.org/wiki/SHA-1) for a brief overview of attacks). If you're using it for anything sensitive, stop. If you want our opinion, you'll need to tell us what you're using it for. – Marc Sep 06 '20 at 13:12
  • @Marc - please see my update – Rayn D Sep 06 '20 at 13:17
  • Ok, so you're calculating the hash of a file. Is it to verify its integrity, or something like duplicate file checks? If the former, stop using `sha1`, collisions have been found meaning someone could make another file with the same hash. Please elaborate on the use case. – Marc Sep 06 '20 at 13:29

1 Answers1

1

I use h.Write in my own gtarsum project as in here:

        h := sha256.New()
        for {
            buf := make([]byte, 1024*1024)

            bytesRead, err := tr.Read(buf)
            if err != nil {
                if err != io.EOF {
                    panic(err)
                }
            }

            if bytesRead > 0 {
                _, err := h.Write(buf[:bytesRead])

All you have to do, if there is no obvious performance issue, is to switch to sha256.
No more warning.
The issue comes sha1 collision, that I have documented here, from the shattered.io project.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Out of curiosity, what in the question indicates that this is using `cloudfoundry/capi-release`? – Marc Sep 06 '20 at 12:57
  • @Marc This is just one project which has a similar issue. I have removed that reference to avoid any confusion. – VonC Sep 06 '20 at 13:19
  • From OP's clarification, it's clear this has nothing to do with cloud foundry. The question is not about how to ignore the check, it's about whether they should. – Marc Sep 06 '20 at 13:21
  • @Marc This is about where that warning is coming from, which is exactly what my answer addresses. – VonC Sep 06 '20 at 13:21
  • 1
    Any project using `sha1` and running this linter will encounter the same warning. Whether they should do anything about it is another question entirely (and the one relevant here). – Marc Sep 06 '20 at 13:22
  • Please read the question again. OP understands where the warning comes from, they are just unsure about the right course of action. – Marc Sep 06 '20 at 13:23
  • @Marc Right. Answer rewritten accordingly. – VonC Sep 06 '20 at 13:27