Bug 969370 - Coverage fails to generate html report in fips mode
Coverage fails to generate html report in fips mode
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python-coverage (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Python Maintainers
BaseOS QE - Apps
Depends On:
Blocks: 839624
  Show dependency treegraph
Reported: 2013-05-31 06:03 EDT by Bohuslav "Slavek" Kabrda
Modified: 2015-02-05 06:33 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-02-05 06:33:10 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bohuslav "Slavek" Kabrda 2013-05-31 06:03:40 EDT
Coverage implements a "Hasher" class in coverage/misc.py [1] that uses MD5 to create hash of an arbitrary structure. The only place where Hasher is instantiated is coverage/html.py [2] that hashes settings of the html generator and compares them with other settings.
So from one point of view, this seems to be a good candidate to use usedforsecurity=False. But that would need to be done inside the Hasher class and if a developer used this in some other library, that would use Hasher for security purposes, it would be a problem.
I guess the best thing to do here is to leave html report generation from coverage just fail in fips.

[1] https://bitbucket.org/ned/coveragepy/src/111428bde2cd47e368843aa3f5af428e22cd804d/coverage/misc.py?at=default#cl-106
[2] https://bitbucket.org/ned/coveragepy/src/111428bde2cd47e368843aa3f5af428e22cd804d/coverage/html.py?at=default#cl-78
Comment 2 Miloslav Trmač 2013-05-31 14:51:54 EDT
Or perhaps drop the Hasher completely, and do an explicit comparison of the two objects:

def compare(a, b):
  if type(a) != type(b): return False
  if isinstance(a, (string_class, int)): return a == b
  if isinstance(a, float): return whatever_is_the_right_way_to_compare_floats_including_NaN(a, b)
  # etc.

This has the additional advantage of being always correct, whereas hashes can in principle have collisions.
Comment 4 Bohuslav "Slavek" Kabrda 2015-02-05 06:33:10 EST
Since I'm not assuming this package is actually being used by someone in fips mode, I think it's not worth the effort to fix. Therefore I'm closing as wontfix - if someone hits this issue, please feel free to reopen.

Note You need to log in before you can comment on or make changes to this bug.