CMP-2734: Detect usage of x/crypto

The x/crypto module isn't compatible with FIPS. Let's write a check to see if it is in the symbols for a given binary. Ideally, this should help us find areas where we can remove x/crypto usage altogether.
stackrox · Oct 7, 2024 · bd73a4b · bd73a4b
1 parent d67cb51
commit bd73a4b
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/internal/types/error_map.go b/internal/types/error_map.go
diff --git a/internal/types/errors.go b/internal/types/errors.go
@@ -21,4 +21,5 @@ var (
 	ErrOSNotCertified              = errors.New("operating system is not FIPS certified")
 	ErrDistributionFileMissing     = errors.New("could not find distribution file")
 	ErrCertifiedDistributionsEmpty = errors.New("certified_distributions is empty, consider using -V [VERSION] for check-payload")
+	ErrDetectedExcludedModule      = errors.New("detected a library that is incompatible with FIPS, check to make sure it is not performing any cryptographic operations")
 )
diff --git a/internal/validations/validations.go b/internal/validations/validations.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -67,6 +68,7 @@ var validationFns = map[string][]ValidationFn{
 		validateGoStatic,
 		validateGoOpenssl,
 		validateGoTagsAndExperiment,
+		validateExcludedCryptoModules,
 	},
 	"exe": {
 		validateNotStatic,
@@ -288,6 +290,29 @@ func validateNotStatic(_ context.Context, _ string, baton *Baton) *types.Validat
 	return types.NewValidationError(types.ErrNotDynLinked)
 }
 
+func validateExcludedCryptoModules(ctx context.Context, path string, baton *Baton) *types.ValidationError {
+	var symbols bytes.Buffer
+	cmd := exec.CommandContext(ctx, "nm", "-j", path)
+	cmd.Stdout = &symbols
+	if err := cmd.Run(); err != nil {
+		return types.NewValidationError(err)
+	}
+
+	// Make this more flexible by deriving the excluded modules from
+	// configuration.
+	excluded := []byte("golang.org/x/crypto")
+	symtable, err := golang.ReadTable(path, baton.GoBuildInfo)
+	if err != nil {
+		return types.NewValidationError(fmt.Errorf("go: could not read table for %v: %w", filepath.Base(path), err))
+	}
+	for _, f := range symtable.Funcs {
+		if strings.Contains(f.Name, string(excluded)) {
+			return types.NewValidationError(types.ErrDetectedExcludedModule).SetWarning()
+		}
+	}
+	return nil
+}
+
 func isGoExecutable(path string, baton *Baton) (bool, error) {
 	bi, err := buildinfo.ReadFile(path)
 	if err != nil {