ibm-cos-sdk-js is not fips compliant because it uses crypto-browserify #96
Comments
|
We have an internal ticket for this issue. |
|
@arnabm28 Hi, just want to follow up on this issue. Has it been addressed? Thanks. |
|
Hi, This is part of our backlog item. Thanks. |
|
@arnabm28 We (IBM Cloud Console) have 12 UI microservices importing your package and it is now being flagged by Prisma Cloud (Twistlock) as Configuration issues that we need to remediate. The IBM Cloud Policy requires every service to be using Prisma Cloud for scanning in the Production and non-production environments. Having these reported as findings will cause additional compliance complications and failures. Can you provide an ETA on when this will be resolved? |
|
@arnabm28 additionally the subdependency browserify-sign of crypto-browserify is now flagged to contain a security vulnerability with the severity high: GHSA-x9w5-v3q2-3rhw Since crypto-browserify is not maintained anymore I guess you need to replace the whole module. As @remansour asked is there an ETA? |
|
@toeikmei regarding- vulnerability GHSA-x9w5-v3q2-3rhw We are looking for an alternative to crypto-browserify and we are not in a position to provide an ETA at this time. |
|
@IBMalok Can you give an indication on the progress on this issue? |
|
@remansour |
|
@HMhamedminaee @linchiah @toeikmei @remansour |
Hi
we are using ibm-cos-sdk-js and we are required to be fips compliant but this library (ibm-cos-sdk-js) is blocking us as ibm-cos-sdk-js uses crypto-browserify which is not fips compliant. Do you have any timeline or approach to fix this issue?
For more info as why crypto-browserify is non fips compiant which consequently makes ibm-cos-sdk-js non fips compliant as well:
https://www.npmjs.com/package/crypto-browserify
The goal of this module is to reimplement node's crypto module, in pure javascript so that it can run in the browser.Thanks
The text was updated successfully, but these errors were encountered: