8000 NVSHAS-9993: Replace md5 by sha256 by williamlin-suse · Pull Request #2015 · neuvector/neuvector · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

NVSHAS-9993: Replace md5 by sha256 #2015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 18, 2025
Merged

NVSHAS-9993: Replace md5 by sha256 #2015

merged 1 commit into from
Jun 18, 2025

Conversation

williamlin-suse
Copy link
Contributor

No description provided.

pohanhuangtw
pohanhuangtw reviewed Jun 18, 2025
View reviewed changes
Copy link
Contributor
@pohanhuangtw pohanhuangtw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, LGTM
I just have a minor question regarding the use of GetGuid. Would you mind taking a quick look to see if any adjustment might be needed?

share/utils/utils.go
}

return GetMd5(base64.StdEncoding.EncodeToString(b)), nil
return strings.Replace(uuid.NewString(), "-", "", -1), nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we change this to use a UUID instead?

However, using a UUID would make the ID non-deterministic and unpredictable.
I think it’s better to switch to SHA (e.g., SHA-256) so the ID remains consistent for the same input, while still being more secure than MD5.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UUID is 128-bit number(typically represented as a 36-character string) & sha256 is 256-bit number.
Using sha256, instead of md5, to generate a UUID is not more secure.
There is no input parameter for GetGuid(). What does "ID remains consistent for the same input" mean?
GetGuid() should not return the same string

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right, I misunderstand the caller.

pohanhuangtw
pohanhuangtw approved these changes Jun 18, 2025
View reviewed changes
share/utils/utils.go
}

return GetMd5(base64.StdEncoding.EncodeToString(b)), nil
return strings.Replace(uuid.NewString(), "-", "", -1), nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you are right, I misunderstand the caller.

holyspectral
holyspectral reviewed Jun 18, 2025
View reviewed changes
Copy link
Collaborator
@holyspectral holyspectral left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally it looks good to me. Would this affect multi-cluster scenario, given that we are removing some fields from its API response?

@williamlin-suse
Copy link
Contributor Author

Generally it looks good to me. Would this affect multi-cluster scenario, given that we are removing some fields from its API response?

GetFedKvVer() in kv/upgrade.go is changed to return different value since 5.4.5.
FedKvVersion field is included in the payload of every request sent from managed clusters to the primary cluster.
Primary cluster declines requests from managed clusters that use different FedKvVersion value from what primary cluster has.
Then

  1. On primary cluster UI, it displays those managed cluster entries as "upgrade required"
  2. On managed cluster UI, it displays itself's entry as "upgrade required"
    (we always advise customers to upgrade primary cluster first)

One side effect of the md5 to sha256 replacement in multi-cluster setup is:
We use the hash value of the image scan result to tell whether the fed registry's image scan results needs to be synced from primary cluster to managed clusters.
When the hash algorithm is changed from md5 to sha256, all fed registry's image scan results need to be re-synced from primary cluster to managed clusters(one-time effort).
(This hash value of image scan result is calculated in the fly & not stored in kv)

@williamlin-suse williamlin-suse merged commit 016ebcb into neuvector:main Jun 18, 2025
6 checks passed
@williamlin-suse williamlin-suse deleted the NVSHAS-9993 branch June 18, 2025 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holyspectral holyspectral holyspectral approved these changes

@pohanhuangtw pohanhuangtw pohanhuangtw approved these changes

@BinX-Suse BinX-Suse Awaiting requested review from BinX-Suse BinX-Suse is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@williamlin-suse @holyspectral @pohanhuangtw
0