Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include go.sum h1 digest information in checksums #1277

Closed
kzantow opened this issue Oct 20, 2022 · 1 comment · Fixed by #1405
Closed

Include go.sum h1 digest information in checksums #1277

kzantow opened this issue Oct 20, 2022 · 1 comment · Fixed by #1405
Assignees

Comments

@kzantow
Copy link
Contributor

kzantow commented Oct 20, 2022

Go binary scanning now supports h1 digests being output in Syft, CycloneDX, and SPDX formats. However, we are not including this information if doing a source scan. We should include h1 digests from go.sum files when processing a corresponding go.mod file.

Originally noted by @deitch in #1265 (comment)

@kzantow kzantow added this to OSS Oct 20, 2022
@kzantow kzantow moved this to Backlog (Pulled Forward for Priority) in OSS Oct 20, 2022
@kzantow kzantow changed the title Include go.sum h1digest information in checksums Include go.sum h1 digest information in checksums Oct 20, 2022
@kzantow kzantow self-assigned this Nov 8, 2022
@kzantow kzantow self-assigned this Dec 12, 2022
@kzantow kzantow moved this from Backlog (Pulled Forward for Priority) to In Progress (Actively Resolving) in OSS Dec 12, 2022
@kzantow kzantow moved this from In Progress (Actively Resolving) to In Review in OSS Dec 14, 2022
spiffcs pushed a commit that referenced this issue Dec 20, 2022
Repository owner moved this from In Review to Done in OSS Dec 20, 2022
@deitch
Copy link
Contributor

deitch commented Dec 20, 2022

Works quite nicely, thank you.

Now if only I could solve the "missing checksums in go compiled binaries when built using -vendor" issue, but that isn't syft's issue; rather it is that go isn't including the data. syft happily would use it if it were there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants