Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update spdx22json to only take uppercase checksum algorithm (#946) #946

Merged
merged 1 commit into from
Apr 11, 2022
Merged

Update spdx22json to only take uppercase checksum algorithm (#946) #946

merged 1 commit into from
Apr 11, 2022

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Apr 11, 2022

When doing validation against SPDXJSON2.2 an error would be thrown saying sha1 was not a valid algorithm.

This change updates the encoding for spdx22json so that algorithm is now uppercased according to the specification.

https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
See page 35 Package checksum 3.10.4

Signed-off-by: Christopher Phillips christopher.phillips@anchore.com

@spiffcs
spdx22json only takes uppercase values as valid
bbe1aa7 
https://spdx.dev/wp-content/uploads/sites/41/2020/08/SPDX-specification-2-2.pdf
See page 35 Package checksum 3.10.4

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@kzantow
Copy link
Contributor

kzantow commented Apr 11, 2022

Good catch!

@github-actions
Copy link

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
name                                                       old time/op    new time/op    delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2              1.15ms ± 2%    1.19ms ± 1%  +2.91%  (p=0.032 n=5+4)
ImagePackageCatalogers/python-package-cataloger-2            2.97ms ±11%    3.01ms ± 0%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     956µs ± 1%     978µs ± 0%  +2.30%  (p=0.008 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         643µs ± 1%     654µs ± 1%  +1.83%  (p=0.016 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     751µs ± 1%     806µs ± 4%  +7.36%  (p=0.008 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      671µs ± 1%     714µs ± 2%  +6.31%  (p=0.008 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      13.7ms ± 5%    14.2ms ± 1%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.21ms ± 3%    1.27ms ± 1%  +5.16%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2          2.08µs ± 1%    2.24µs ± 1%  +7.60%  (p=0.008 n=5+5)

name                                                       old alloc/op   new alloc/op   delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               184kB ± 0%     184kB ± 0%    ~     (p=0.690 n=5+5)
ImagePackageCatalogers/python-package-cataloger-2             895kB ± 0%     897kB ± 0%    ~     (p=0.310 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     196kB ± 0%     196kB ± 0%  -0.20%  (p=0.032 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         140kB ± 0%     140kB ± 0%    ~     (p=0.151 n=5+5)
ImagePackageCatalogers/dpkgdb-cataloger-2                     175kB ± 0%     175kB ± 0%    ~     (p=0.310 n=5+5)
ImagePackageCatalogers/rpmdb-cataloger-2                      163kB ± 0%     163kB ± 0%    ~     (p=0.690 n=5+5)
ImagePackageCatalogers/java-cataloger-2                      3.29MB ± 0%    3.29MB ± 0%    ~     (p=0.056 n=5+5)
ImagePackageCatalogers/apkdb-cataloger-2                     1.24MB ± 0%    1.24MB ± 0%  +0.10%  (p=0.008 n=5+5)
ImagePackageCatalogers/go-module-binary-cataloger-2            672B ± 0%      672B ± 0%    ~     (all equal)

name                                                       old allocs/op  new allocs/op  delta
ImagePackageCatalogers/ruby-gemspec-cataloger-2               3.66k ± 0%     3.66k ± 0%    ~     (all equal)
ImagePackageCatalogers/python-package-cataloger-2             14.8k ± 0%     14.8k ± 0%    ~     (p=1.000 n=5+5)
ImagePackageCatalogers/php-composer-installed-cataloger-2     4.94k ± 0%     4.94k ± 0%    ~     (p=0.643 n=5+5)
ImagePackageCatalogers/javascript-package-cataloger-2         2.72k ± 0%     2.72k ± 0%    ~     (all equal)
ImagePackageCatalogers/dpkgdb-cataloger-2                     3.93k ± 0%     3.93k ± 0%    ~     (all equal)
ImagePackageCatalogers/rpmdb-cataloger-2                      4.01k ± 0%     4.01k ± 0%    ~     (all equal)
ImagePackageCatalogers/java-cataloger-2                       52.2k ± 0%     52.2k ± 0%    ~     (p=0.222 n=5+4)
ImagePackageCatalogers/apkdb-cataloger-2                      4.82k ± 0%     4.82k ± 0%    ~     (all equal)
ImagePackageCatalogers/go-module-binary-cataloger-2            15.0 ± 0%      15.0 ± 0%    ~     (all equal)

@spiffcs spiffcs changed the title Update spdx22json to onl take uppercase values as valid Update spdx22json to only take uppercase values as valid Apr 11, 2022
@spiffcs spiffcs changed the title Update spdx22json to only take uppercase values as valid Update spdx22json to only take uppercase checksum algorithm Apr 11, 2022
@spiffcs spiffcs merged commit b46d044 into main Apr 11, 2022
@spiffcs spiffcs deleted the SPDX-JSON22-validation branch April 11, 2022 18:56
@spiffcs spiffcs changed the title Update spdx22json to only take uppercase checksum algorithm Update spdx22json to only take uppercase checksum algorithm (#946) Apr 11, 2022
spiffcs added a commit that referenced this pull request May 2, 2022
@spiffcs
Merge branch 'main' into 835-keyless-attestation-upgrade
cb25858 
* main: (31 commits)
  reduce noise of log output (#976)
  add version info and remove double config call (#977)
  Rename syft-id to package-id (#970)
  update to cyclonedx-go 0.5.2 (#971)
  refactor command package to remove globals and add dependency injection
  fix: #953 Derive language from pURL - https://github.com/anchore/syft… (#957)
  Fix typo in CPE-parsing error (#966)
  Preserve syft IDs on SBOM decode (#963)
  Update GitHub format package_url and correlator (#961)
  Ensure SPDXIDs are valid (#955)
  Auto-PR needs to run go mod tidy (#958)
  Add workflow for automatic PR for new stereoscope updates (#954)
  Minor readme update to correct format information (#948)
  Update spdx22json to only take uppercase checksum algorithm (#946)
  add additional vendors for springframework (#945)
  Add digest property to parent and nested java package metadata (#941)
  Update write permissions and log into ghcr.io for release (#942)
  Retry auth URL lookup without docker credentialhelper workaround (#939)
  Ensure that all cyclonedx components have bom-refs (#914)
  Additionally publish docker images to GHCR (#934)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
rigzba21 pushed a commit to rigzba21/syft that referenced this pull request May 5, 2022
@spiffcs @rigzba21
Update spdx22json to only take uppercase checksum algorithm (anchore#946
26df4f3 
)

Signed-off-by: rigzba21 <jonathan.velando01@gmail.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
Update spdx22json to only take uppercase checksum algorithm (anchore#946
56d2c35 
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spiffcs @kzantow