Skip to content

Commit

Permalink
Normalize the package hash to hex.
Browse files Browse the repository at this point in the history
We were emitting package checksum hashes as `h1:{base64}`.  `h1:` is a prefix that indicates "Hash 1", which is a SHA-256 based hash of the files, which is then base64 encoded as the suffix.

This change detects/strips the `h1:` prefix and re-encodes the base64 data as hex.
  • Loading branch information
mattmoor committed Nov 22, 2021
1 parent 3edb68b commit 90dd316
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 5 deletions.
19 changes: 16 additions & 3 deletions internal/sbom/spdx.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ package sbom

import (
"bytes"
"encoding/base64"
"encoding/hex"
"fmt"
"strings"
"text/template"
"time"
Expand Down Expand Up @@ -48,6 +51,16 @@ type tmplInfo struct {
// TODO: use k8s.io/release/pkg/bom
var tmpl = template.Must(template.New("").Funcs(template.FuncMap{
"dots": func(s string) string { return strings.ReplaceAll(s, "/", ".") },
"h1toSHA256": func(s string) (string, error) {
if !strings.HasPrefix(s, "h1:") {
return "", fmt.Errorf("malformed sum prefix: %q", s)
}
b, err := base64.StdEncoding.DecodeString(s[3:])
if err != nil {
return "", fmt.Errorf("malformed sum: %q: %w", s, err)
}
return hex.EncodeToString(b), nil
},
}).Parse(`SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
Expand All @@ -71,10 +84,10 @@ PackageLicenseComments: NOASSERTION
PackageComment: NOASSERTION
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-{{ .BuildInfo.Main.Path | dots }}
{{ range .Deps }}
Relationship: SPDXRef-Package-{{ $.Main.Path | dots }} DEPENDS_ON SPDXRef-Package-{{ .Path | dots }}-{{ .Version }}{{ end }}
{{ range .Deps }}
Relationship: SPDXRef-Package-{{ $.Main.Path | dots }} DEPENDS_ON SPDXRef-Package-{{ .Path | dots }}-{{ .Version }}
##### Package representing {{ .Path }}
PackageName: {{ .Path }}
Expand All @@ -83,7 +96,7 @@ PackageVersion: {{ .Version }}
PackageSupplier: Organization: {{ .Path }}
PackageDownloadLocation: https://proxy.golang.org/{{ .Path }}/@v/{{ .Version }}.zip
FilesAnalyzed: false
PackageChecksum: SHA256: {{ .Sum }}
PackageChecksum: SHA256: {{ .Sum | h1toSHA256 }}
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
Expand Down
4 changes: 2 additions & 2 deletions pkg/commands/resolver.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,10 +102,10 @@ func gobuildOptions(bo *options.BuildOptions) ([]build.Option, error) {
switch bo.SBOM {
case "none":
opts = append(opts, build.WithDisabledSBOM())
case "spdx":
opts = append(opts, build.WithSPDX(version()))
case "go.version-m":
opts = append(opts, build.WithGoVersionSBOM())
default: // "spdx"
opts = append(opts, build.WithSPDX(version()))
}
opts = append(opts, build.WithTrimpath(bo.Trimpath))
for _, lf := range bo.Labels {
Expand Down

0 comments on commit 90dd316

Please sign in to comment.