Generated hash items: "alg" does not conform to the CycloneDX specification

[goadwharry]

The CycloneDX json files created by sbom4files generate hashes like this:

     "hashes": [
        {
          "alg": "SHA1",
          "content": "9ffc0d3f5c8be409335699037ac8bafbda9e940c"
        },
        {
          "alg": "SHA256",
          "content": "b97a4c91d68acb2ba07a382e4849ef86f156459b85dfe6dbac104332d782fe1e"
        },
        {
          "alg": "SHA512",
          "content": "7f4ba8017754306f4ac93b71b736c7efe14920ff735cb8b189518018f68508ab31ca1d0dbf6a0dfbdd0349f981e8e65564dd14a1ab051b7fd9cffc8e47e4be97"
        }
      ],

However, the tools from CycloneDX have a problem with the "alg" names - they expect "SHA-1", "SHA-256", "SHA-512" (i.e. with a '-' sign after SHA).

It looks like sbom4files does not conform to the specification. See here for details: https://cyclonedx.org/docs/1.5/json/#components_items_hashes_items_alg

Thanks!

[anthonyharrison]

@goadwharry Many thanks for spotting this.

There is a difference between the way the checksum algorithms are handled by SPDX and CycloneDX. The SHA names are stored internally without the '-'. I have updated the SBOM generator for CycloneDX to correctly specify the hashing algoritthm.

[anthonyharrison]

Corrected in version 0.5.3 of Lib4sbom

[goadwharry]

@anthonyharrison Thank you very much for changing this.