Add support for FIPS

Reported-by: RayGozer @RayGozer
Reference: #3165
Signed-off-by: Philippe Ombredanne <pombredanne@nexb.com>

Author: pombredanne

src/licensedcode/detection.py

@@ -11,9 +11,9 @@
 import sys
 import os
 import logging
-import hashlib
 import uuid
 from enum import Enum
+from hashlib import sha1
 from collections import Counter
 
 import attr
@@ -278,7 +278,7 @@ def identifier(self):
 
         # Return a uuid generated from the contents of the matches
         identifier_string = repr(tuple(data))
-        md_hash = hashlib.md5()
+        md_hash = sha1()
         md_hash.update(identifier_string.encode('utf-8'))
         return str(uuid.UUID(md_hash.hexdigest()))
 

src/licensedcode/match_hash.py

@@ -8,7 +8,7 @@
 #
 
 from array import array
-from hashlib import md5
+from hashlib import sha1
 
 
 from licensedcode.match import LicenseMatch
@@ -46,7 +46,7 @@ def tokens_hash(tokens):
     Return a digest binary string computed from a sequence of numeric token ids.
     """
     as_bytes = array('h', tokens).tobytes()
-    return md5(as_bytes).digest()
+    return sha1(as_bytes).digest()
 
 
 def index_hash(rule_tokens):

src/licensedcode/models.py

@@ -7,12 +7,12 @@
 # See https://aboutcode.org for more information about nexB OSS projects.
 #
 
-import hashlib
 import os
 import sys
 import traceback
 from collections import Counter
 from collections import defaultdict
+from hashlib import sha1
 from itertools import chain
 from operator import itemgetter
 from os.path import abspath
@@ -2001,13 +2001,13 @@ def _from_expression(cls, license_expression=None, identifier=None, **kwargs):
     def compute_unique_id(self):
         """
         Return a a unique id string based on this rule content. (Today this is
-        an MD5 checksum of the text, but that's an implementation detail)
+        an SHA1 checksum of the text, but that's an implementation detail)
         """
         if not self.text:
             text = "None"
         else:
             text = self.text
-        return hashlib.md5(text.encode('utf-8')).hexdigest()
+        return sha1(text.encode('utf-8')).hexdigest()
 
     def load_data(self, rule_file):
         """

src/packagedcode/cocoapods.py

@@ -11,6 +11,7 @@
 import json
 import os
 import logging
+from functools import partial
 
 import saneyaml
 from packageurl import PackageURL
@@ -28,6 +29,7 @@
 
 TRACE = os.environ.get('SCANCODE_DEBUG_PACKAGE', False)
 
+
 def logger_debug(*args):
     pass
 
@@ -89,8 +91,10 @@ def get_hashed_path(name):
     Returns a string with a part of the file path derived from the md5 hash.
 
     From https://github.com/CocoaPods/cdn.cocoapods.org:
-    "There are a set of known prefixes for all Podspec paths, you take the name of the pod,
-    create a hash (using md5) of it and take the first three characters."
+        "There are a set of known prefixes for all Podspec paths, you take the
+        name of the pod, create a hash (using md5) of it and take the first
+        three characters."
+
     """
     if not name:
         return
@@ -105,8 +109,22 @@ def get_hashed_path(name):
     return hashed_path
 
 
+# for FIPS support
+sys_v0 = sys.version_info[0]
+sys_v1 = sys.version_info[1]
+if sys_v0 == 3 and sys_v1 >= 9:
+    md5_hasher = partial(hashlib.md5, usedforsecurity=False)
+else:
+    md5_hasher = hashlib.md5
+
+
 def get_first_three_md5_hash_characters(podname):
-    return hashlib.md5(podname.encode('utf-8')).hexdigest()[0:3]
+    """
+    From https://github.com/CocoaPods/cdn.cocoapods.org:
+    "There are a set of known prefixes for all Podspec paths, you take the name of the pod,
+    create a hash (using md5) of it and take the first three characters."
+    """
+    return md5_hasher(podname.encode('utf-8')).hexdigest()[0:3]
 
 
 class BasePodHandler(models.DatafileHandler):