internal/openvex: add hash for doc ID

updates golang/go#62486

Change-Id: I741ee275288b978becb46d5072ae22857152f2b6
Reviewed-on: https://go-review.googlesource.com/c/vuln/+/575860
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>

cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct

@@ -3,7 +3,7 @@
 $ govulncheck -format openvex -mode binary ${common_vuln_binary}
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "govulncheckVEX",
+  "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,

cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct

@@ -3,7 +3,7 @@
 $ govulncheck -C ${moddir}/vuln -format openvex ./...
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "govulncheckVEX",
+  "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,

internal/openvex/handler.go

@@ -5,6 +5,7 @@
 package openvex
 
 import (
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -88,14 +89,16 @@ func (h *handler) Flush() error {
 
 func toVex(h *handler) Document {
 	doc := Document{
-		ID:         "govulncheckVEX", // TODO: create hash from document for ID
 		Context:    ContextURI,
 		Author:     DefaultAuthor,
 		Timestamp:  time.Now().UTC(),
 		Version:    1,
 		Tooling:    Tooling,
 		Statements: statements(h),
 	}
+
+	id := hashVex(doc)
+	doc.ID = "govulncheck/vex:" + id
 	return doc
 }
 
@@ -160,3 +163,21 @@ func statements(h *handler) []Statement {
 	})
 	return statements
 }
+
+func hashVex(doc Document) string {
+	// json.Marshal should never error here (because of the structure of Document).
+	// If an error does occur, it won't be a jsonerror, but instead a panic
+	d := Document{
+		Context:    doc.Context,
+		ID:         doc.ID,
+		Author:     doc.Author,
+		Version:    doc.Version,
+		Tooling:    doc.Tooling,
+		Statements: doc.Statements,
+	}
+	out, err := json.Marshal(d)
+	if err != nil {
+		panic(err)
+	}
+	return fmt.Sprintf("%x", sha256.Sum256(out))
+}