Skip to content

fix/cci upload rename#147

Open
markcrivera wants to merge 2 commits into
developfrom
fix/cci-upload-rename
Open

fix/cci upload rename#147
markcrivera wants to merge 2 commits into
developfrom
fix/cci-upload-rename

Conversation

@markcrivera
Copy link
Copy Markdown
Collaborator

@markcrivera markcrivera commented May 15, 2025

No longer uses system defined temp dir to upload CCI matrix to. Now uploads directly to configured dir.

@markcrivera
Saves directly to configured dir.
5ae3edd 
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
@markcrivera markcrivera changed the title Fix/cci upload rename fix/cci upload rename May 15, 2025
@Amndeep7 Amndeep7 temporarily deployed to tir-fix-cci-upload-rena-s9zz1p May 15, 2025 19:18 Inactive
github-advanced-security[bot]
github-advanced-security AI found potential problems May 15, 2025
View reviewed changes
Comment thread server/utils/hash.ts

export function hashPassword(password: string, salt: string, secretKey: string): string {
const hmac = crypto.createHmac("sha256", secretKey);
hmac.update(password);

Check failure

Code scanning / CodeQL

Use of password hash with insufficient computational effort

Password from [an access to INIT_PASSWORD](1) is hashed insecurely. Password from [an access to INIT_PASSWORD](2) is hashed insecurely. Password from [an access to inputPassword](3) is hashed insecurely. Password from [an access to password](4) is hashed insecurely.
Copy link
Copy Markdown
Collaborator Author

@markcrivera markcrivera May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think CodeQL may be indavertantly flagging on hmac.update.

hmac.upadate(password) is an intermediate step, not the final hash.

We are HMAC-ing the password with a secretKey using SHA-256 (not a weak hash like MD5 or SHA-1 stated in the Show more details).

We are feeding the result into PBKDF2, recommended by NIST and OWASP and has FIPS-140 validated implementations,.

We are using 600000 iterations which exceeds NIST requirements (>10,000) and is the recommended # of iterations by OWASP when using PBKDF2-HMAC-SHA256.

@markcrivera markcrivera changed the base branch from main to develop May 15, 2025 20:00
@markcrivera markcrivera marked this pull request as draft May 19, 2025 13:22
@mitre mitre deleted a comment from sonarqubecloud Bot May 19, 2025
@markcrivera markcrivera marked this pull request as ready for review May 19, 2025 14:46
@markcrivera
Updated import statement.
c1530ff 
Signed-off-by: Mark Rivera <mcrivera@gmail.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 19, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@markcrivera @github-advanced-security @Amndeep7