From 149252fef09a3e22380d15595d7885614e0c2517 Mon Sep 17 00:00:00 2001 From: Matt Moore Date: Mon, 22 Nov 2021 15:20:54 -0800 Subject: [PATCH] Normalize the package hash to hex. We were emitting package checksum hashes as `h1:{base64}`. `h1:` is a prefix that indicates "Hash 1", which is a SHA-256 based hash of the files, which is then base64 encoded as the suffix. This change detects/strips the `h1:` prefix and re-encodes the base64 data as hex. --- internal/sbom/spdx.go | 21 +++++++++++++++++---- pkg/commands/resolver.go | 4 ++-- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/internal/sbom/spdx.go b/internal/sbom/spdx.go index 0d5b4d58ef..1b07512c68 100644 --- a/internal/sbom/spdx.go +++ b/internal/sbom/spdx.go @@ -16,6 +16,9 @@ package sbom import ( "bytes" + "encoding/base64" + "encoding/hex" + "fmt" "strings" "text/template" "time" @@ -48,6 +51,16 @@ type tmplInfo struct { // TODO: use k8s.io/release/pkg/bom var tmpl = template.Must(template.New("").Funcs(template.FuncMap{ "dots": func(s string) string { return strings.ReplaceAll(s, "/", ".") }, + "h1toSHA256": func(s string) (string, error) { + if !strings.HasPrefix(s, "h1:") { + return "", fmt.Errorf("malformed sum prefix: %q", s) + } + b, err := base64.StdEncoding.DecodeString(s[3:]) + if err != nil { + return "", fmt.Errorf("malformed sum: %q: %w", s, err) + } + return hex.EncodeToString(b), nil + }, }).Parse(`SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT @@ -71,10 +84,10 @@ PackageLicenseComments: NOASSERTION PackageComment: NOASSERTION Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-{{ .BuildInfo.Main.Path | dots }} -{{ range .Deps }} -Relationship: SPDXRef-Package-{{ $.Main.Path | dots }} DEPENDS_ON SPDXRef-Package-{{ .Path | dots }}-{{ .Version }}{{ end }} {{ range .Deps }} +Relationship: SPDXRef-Package-{{ $.Main.Path | dots }} DEPENDS_ON SPDXRef-Package-{{ .Path | dots }}-{{ .Version }} + ##### Package representing {{ .Path }} PackageName: {{ .Path }} @@ -83,8 +96,8 @@ PackageVersion: {{ .Version }} PackageSupplier: Organization: {{ .Path }} PackageDownloadLocation: https://proxy.golang.org/{{ .Path }}/@v/{{ .Version }}.zip FilesAnalyzed: false -PackageChecksum: SHA256: {{ .Sum }} -PackageLicenseConcluded: NOASSERTION +{{ if .Sum }}PackageChecksum: SHA256: {{ .Sum | h1toSHA256 }} +{{ end }}PackageLicenseConcluded: NOASSERTION PackageLicenseDeclared: NOASSERTION PackageCopyrightText: NOASSERTION PackageLicenseComments: NOASSERTION diff --git a/pkg/commands/resolver.go b/pkg/commands/resolver.go index e561824cd4..7ddda5449a 100644 --- a/pkg/commands/resolver.go +++ b/pkg/commands/resolver.go @@ -102,10 +102,10 @@ func gobuildOptions(bo *options.BuildOptions) ([]build.Option, error) { switch bo.SBOM { case "none": opts = append(opts, build.WithDisabledSBOM()) - case "spdx": - opts = append(opts, build.WithSPDX(version())) case "go.version-m": opts = append(opts, build.WithGoVersionSBOM()) + default: // "spdx" + opts = append(opts, build.WithSPDX(version())) } opts = append(opts, build.WithTrimpath(bo.Trimpath)) for _, lf := range bo.Labels {