Fix: Replace blake2b with FIPS-compatible hash fallback to support secure environments

[sumit-gupta-sgt]

Summary

This PR replaces all direct uses of hashlib.blake2b() with a utility function fips_safe_hasher() that falls back to a truncated sha256() hash in FIPS-enabled environments.

This resolves failures such as:

...which occur because blake2b is disabled when Python is compiled against OpenSSL in FIPS mode.

Key Changes

• Introduced fips_safe_hasher() in soda/common/utils/hash_utils.py.
• Replaced blake2b usage across the codebase with this safe wrapper.
• Added a test for fallback behavior.

Why This Matters

In regulated or security-hardened systems (e.g., federal workloads, STIG-compliant Linux), FIPS mode is required and disables non-compliant hash functions like BLAKE2. This change ensures Soda Core works in those environments without modification or monkey-patching.

Compatibility

• Backwards compatible (keeps digest length intact)
• No external dependencies introduced
• Safe fallback behavior

Related

• Fixes compatibility issue reported with FIPS-mode Python
• Builds on community request to support hardened deployments

Happy to adjust or expand test coverage as needed!

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Sumit Gupta seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud