Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added checksums for content inside archives for SBOM.jsons #679

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

aidanhall34
Copy link

Hi All,

Going to apologise in advance if I have not done this correctly. I'm fairly new to contributing to OS projects, especially one as big as OpenTelemetry. Feel free to give me any "contributor" pointers so I can be a good open source citizen.

As far as I am aware, checksums are provided for archive files but not there contents.
I have a use case where I want the checksum of the binary inside the archive before I download them.

I have added some syft envvars to the cmd/goreleaser/internal/configure.go config.SBOM struct that will provide checksums for archive contents.

Files section before the change reference file
  "files":
    [
      {
        "fileName": "otelcol-contrib",
        "SPDXID": "SPDXRef-File-otelcol-contrib-8f08648b0a2b389a",
        "checksums":
          [
            {
              "algorithm": "SHA1",
              "checksumValue": "0000000000000000000000000000000000000000",
            },
          ],
        "licenseConcluded": "NOASSERTION",
        "licenseInfoInFiles": ["NOASSERTION"],
        "copyrightText": "",
      },
    ],
Files section after the change
    "files": [
        {
            "fileName": "/tmp/syft-archive-contents-833386759",
            "SPDXID": "SPDXRef-File-tmp-syft-archive-contents-833386759-60e2698d628d456f",
            "fileTypes": [
                "OTHER"
            ],
            "checksums": [
                {
                    "algorithm": "SHA1",
                    "checksumValue": "0000000000000000000000000000000000000000"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        },
        {
            "fileName": "README.md",
            "SPDXID": "SPDXRef-File-README.md-367a886d576a2cf3",
            "fileTypes": [
                "TEXT"
            ],
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "b38ed0afb0c73ff4e6371e4444c267b55cf543f939bca481d938e6bbe871825a"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        },
        {
            "fileName": "otelcol",
            "SPDXID": "SPDXRef-File-otelcol-d0b37298759a7bad",
            "fileTypes": [
                "APPLICATION",
                "BINARY"
            ],
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "dcb7367e6376c42697cd955cd2f27b212bcfc99c16b6007ae1dd81cb781b582e"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        }
    ],

Checking the checksum:
image

I hope this can be merged as it'll save me a few clicks per release upgrade.

Thanks!
Aidan

@aidanhall34 aidanhall34 requested a review from a team as a code owner September 26, 2024 05:15
Copy link

linux-foundation-easycla bot commented Sep 26, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant