Bug 969370

Summary: Coverage fails to generate html report in fips mode
Product: Red Hat Enterprise Linux 7 Reporter: Bohuslav "Slavek" Kabrda <bkabrda>
Component: python-coverageAssignee: Python Maintainers <python-maint>
Status: CLOSED WONTFIX QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mitr
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-05 11:33:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 839624    

Description Bohuslav "Slavek" Kabrda 2013-05-31 10:03:40 UTC 
Coverage implements a "Hasher" class in coverage/misc.py [1] that uses MD5 to create hash of an arbitrary structure. The only place where Hasher is instantiated is coverage/html.py [2] that hashes settings of the html generator and compares them with other settings.
So from one point of view, this seems to be a good candidate to use usedforsecurity=False. But that would need to be done inside the Hasher class and if a developer used this in some other library, that would use Hasher for security purposes, it would be a problem.
I guess the best thing to do here is to leave html report generation from coverage just fail in fips.


[1] https://bitbucket.org/ned/coveragepy/src/111428bde2cd47e368843aa3f5af428e22cd804d/coverage/misc.py?at=default#cl-106
[2] https://bitbucket.org/ned/coveragepy/src/111428bde2cd47e368843aa3f5af428e22cd804d/coverage/html.py?at=default#cl-78
Comment 2 Miloslav Trmač 2013-05-31 18:51:54 UTC 
Or perhaps drop the Hasher completely, and do an explicit comparison of the two objects:

def compare(a, b):
  if type(a) != type(b): return False
  if isinstance(a, (string_class, int)): return a == b
  if isinstance(a, float): return whatever_is_the_right_way_to_compare_floats_including_NaN(a, b)
  # etc.

This has the additional advantage of being always correct, whereas hashes can in principle have collisions.
Comment 4 Bohuslav "Slavek" Kabrda 2015-02-05 11:33:10 UTC 
Since I'm not assuming this package is actually being used by someone in fips mode, I think it's not worth the effort to fix. Therefore I'm closing as wontfix - if someone hits this issue, please feel free to reopen.