Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX file has duplicate sha256 tag in versionInfo #2300

Merged
merged 2 commits into from
Nov 8, 2023
Merged

SPDX file has duplicate sha256 tag in versionInfo #2300

merged 2 commits into from
Nov 8, 2023

Conversation

coheigea
Copy link
Contributor

@coheigea coheigea commented Nov 8, 2023

I noticed when generating a SPDX SBOM for https://repo1.maven.org/maven2/org/apache/activemq/activemq-osgi/5.18.2/ that it outputs:

 {
   "name": "activemq-osgi-5.18.2.jar",
   "SPDXID": "SPDXRef-DocumentRoot-File-activemq-osgi-5.18.2.jar",
   "versionInfo": "sha256:sha256:cfbaa968953d5c3a45c8d1e6fcdbcd22aa448baceebb00879084da0a38f1392d",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "cfbaa968953d5c3a45c8d1e6fcdbcd22aa448baceebb00879084da0a38f1392d"
    }
   ],
   "primaryPackagePurpose": "FILE"
  }
~

Note duplicate sha256 tag for versionInfo. This is because in fileSource.deriveIDFromFile, the digest algorithm is already encoded in the digest String.

@coheigea
SPDX file has duplicate sha256 tag in versionInfo
fc9a7ed 
Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
@wagoodman wagoodman self-assigned this Nov 8, 2023
@wagoodman
add tests
af7ef0c 
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
wagoodman
wagoodman approved these changes Nov 8, 2023
View reviewed changes
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice find! I added a little bit of testing around this to make certain we don't regress.

@wagoodman wagoodman enabled auto-merge (squash) November 8, 2023 22:35
@wagoodman wagoodman added the bug Something isn't working label Nov 8, 2023
@wagoodman wagoodman merged commit dc14dbb into anchore:main Nov 8, 2023
10 checks passed
@coheigea coheigea deleted the coheigea/spdxdigst branch November 9, 2023 04:46
@Porkepix Porkepix mentioned this pull request Nov 9, 2023
Merged
@ddzzj ddzzj mentioned this pull request Nov 27, 2023
Open
@stnert stnert mentioned this pull request Nov 28, 2023
Open
@ekmixon ekmixon mentioned this pull request Nov 28, 2023
Open
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@coheigea @wagoodman
SPDX file has duplicate sha256 tag in versionInfo (anchore#2300)
ea2c840 
* SPDX file has duplicate sha256 tag in versionInfo

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>

* add tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman approved these changes

Assignees

@wagoodman wagoodman

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coheigea @wagoodman