Skip to content

fix/cci upload rename #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

fix/cci upload rename #147

wants to merge 2 commits into from

Conversation

markcrivera
Copy link
Collaborator

No longer uses system defined temp dir to upload CCI matrix to. Now uploads directly to configured dir.

@markcrivera markcrivera changed the title Fix/cci upload rename fix/cci upload rename May 15, 2025
@Amndeep7 Amndeep7 temporarily deployed to tir-fix-cci-upload-rena-s9zz1p May 15, 2025 19:18 Inactive
github-advanced-security[bot]
github-advanced-security bot found potential problems May 15, 2025
View reviewed changes
server/utils/hash.ts Outdated

export function hashPassword(password: string, salt: string, secretKey: string): string {
const hmac = crypto.createHmac("sha256", secretKey);
hmac.update(password);

Check failure

Code scanning / CodeQL

Use of password hash with insufficient computational effort

Password from [an access to INIT_PASSWORD](1) is hashed insecurely. Password from [an access to INIT_PASSWORD](2) is hashed insecurely. Password from [an access to inputPassword](3) is hashed insecurely. Password from [an access to password](4) is hashed insecurely.
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think CodeQL may be indavertantly flagging on hmac.update.

hmac.upadate(password) is an intermediate step, not the final hash.

We are HMAC-ing the password with a secretKey using SHA-256 (not a weak hash like MD5 or SHA-1 stated in the Show more details).

We are feeding the result into PBKDF2, recommended by NIST and OWASP and has FIPS-140 validated implementations,.

We are using 600000 iterations which exceeds NIST requirements (>10,000) and is the recommended # of iterations by OWASP when using PBKDF2-HMAC-SHA256.

@markcrivera markcrivera changed the base branch from main to develop May 15, 2025 20:00
@markcrivera markcrivera marked this pull request as draft May 19, 2025 13:22
@mitre mitre deleted a comment from sonarqubecloud bot May 19, 2025
@markcrivera markcrivera marked this pull request as ready for review May 19, 2025 14:46
@markcrivera
Updated import statement.
c1530ff 
Signed-off-by: Mark Rivera <[email protected]>
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markcrivera @Amndeep7