Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SPDX file has duplicate sha256 tag in versionInfo #2300

Merged
merged 2 commits into from
Nov 8, 2023

Conversation

coheigea
Copy link
Contributor

@coheigea coheigea commented Nov 8, 2023

I noticed when generating a SPDX SBOM for https://repo1.maven.org/maven2/org/apache/activemq/activemq-osgi/5.18.2/ that it outputs:

 {
   "name": "activemq-osgi-5.18.2.jar",
   "SPDXID": "SPDXRef-DocumentRoot-File-activemq-osgi-5.18.2.jar",
   "versionInfo": "sha256:sha256:cfbaa968953d5c3a45c8d1e6fcdbcd22aa448baceebb00879084da0a38f1392d",
   "supplier": "NOASSERTION",
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "cfbaa968953d5c3a45c8d1e6fcdbcd22aa448baceebb00879084da0a38f1392d"
    }
   ],
   "primaryPackagePurpose": "FILE"
  }
~

Note duplicate sha256 tag for versionInfo. This is because in fileSource.deriveIDFromFile, the digest algorithm is already encoded in the digest String.

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
@wagoodman wagoodman self-assigned this Nov 8, 2023
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Copy link
Contributor

@wagoodman wagoodman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice find! I added a little bit of testing around this to make certain we don't regress.

@wagoodman wagoodman enabled auto-merge (squash) November 8, 2023 22:35
@wagoodman wagoodman added the bug Something isn't working label Nov 8, 2023
@wagoodman wagoodman merged commit dc14dbb into anchore:main Nov 8, 2023
10 checks passed
@coheigea coheigea deleted the coheigea/spdxdigst branch November 9, 2023 04:46
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
* SPDX file has duplicate sha256 tag in versionInfo

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>

* add tests

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants