fix: make the spdx output more complete

sha1 checksums are commonly checked by existing scanners/tools. Some of the fields are not set, so set them. Signed-off-by: Ramkumar Chinchani <[email protected]>
project-stacker · Dec 16, 2023 · 26b605e · 26b605e
1 parent aff21a6
commit 26b605e
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 14 deletions.
diff --git a/pkg/distro/apk/apk.go b/pkg/distro/apk/apk.go
@@ -4,6 +4,7 @@ import (
 	"archive/tar"
 	"bufio"
 	"compress/gzip"
+	"crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
@@ -93,6 +94,7 @@ func ParsePackage(input, output, author, organization, license string) error {
 		}{
 			Person: apk.PkgInfo.PkgMaintainer,
 		},
+		FilesAnalyzed:   true,
 		LicenseDeclared: pkglicense,
 	}
 
@@ -151,17 +153,21 @@ func ParsePackage(input, output, author, organization, license string) error {
 			}
 		}
 
-		cksum := sha256.Sum256(buf)
+		cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
+		cksumSHA256 := sha256.Sum256(buf)
 
 		log.Info().Str("name", hdr.Name).
 			Int("size", bufsz).
-			Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksum[:]))).
+			Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
 			Msg("file entry detected")
 
 		sfile := &spdx.File{
 			Entity: spdx.Entity{
-				Name:     fmt.Sprintf("/%s", hdr.Name),
-				Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum[:])},
+				Name: fmt.Sprintf("/%s", hdr.Name),
+				Checksum: map[string]string{
+					"SHA1":   hex.EncodeToString(cksumSHA1[:]),
+					"SHA256": hex.EncodeToString(cksumSHA256[:]),
+				},
 			},
 		}
 		if err := spkg.AddFile(sfile); err != nil {
@@ -192,6 +198,7 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error
 		}{
 			Person: pkg.PackageMaintainer,
 		},
+		FilesAnalyzed:   true,
 		LicenseDeclared: pkg.PackageLicense,
 	}
 

diff --git a/pkg/distro/deb/deb.go b/pkg/distro/deb/deb.go
@@ -3,6 +3,7 @@ package deb
 import (
 	"archive/tar"
 	"bufio"
+	"crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -48,6 +49,7 @@ func ParsePackage(input, output, author, organization, license string) error {
 		}{
 			Person: debfile.Control.Maintainer,
 		},
+		FilesAnalyzed:   true,
 		LicenseDeclared: license,
 	}
 
@@ -87,17 +89,21 @@ func ParsePackage(input, output, author, organization, license string) error {
 			}
 		}
 
-		cksum := sha256.Sum256(buf)
+		cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
+		cksumSHA256 := sha256.Sum256(buf)
 
 		log.Info().Str("name", hdr.Name).
 			Int("size", bufsz).
-			Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksum[:]))).
+			Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
 			Msg("file entry detected")
 
 		sfile := &spdx.File{
 			Entity: spdx.Entity{
-				Name:     hdr.Name[1:],
-				Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum[:])},
+				Name: hdr.Name[1:],
+				Checksum: map[string]string{
+					"SHA1":   hex.EncodeToString(cksumSHA1[:]),
+					"SHA256": hex.EncodeToString(cksumSHA256[:]),
+				},
 			},
 		}
 		if err := spkg.AddFile(sfile); err != nil {
@@ -277,6 +283,7 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error {
 		}{
 			Person: pkg.Maintainer,
 		},
+		FilesAnalyzed:   true,
 		LicenseDeclared: "unknown",
 	}
 

diff --git a/pkg/distro/rpm/rpm.go b/pkg/distro/rpm/rpm.go
@@ -1,8 +1,10 @@
 package rpm
 
 import (
+	"crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -87,6 +89,7 @@ func ParsePackage(input, output, author, organization, license string) error {
 		}{
 			Organization: vendor[0],
 		},
+		FilesAnalyzed:   true,
 		LicenseDeclared: pkglicense,
 	}
 
@@ -119,18 +122,34 @@ func ParsePackage(input, output, author, organization, license string) error {
 		}
 		defer fhandle.Close()
 
-		shaWriter := sha256.New()
-		if _, err := io.Copy(shaWriter, fhandle); err != nil {
-			return err
+		buf := make([]byte, info.Size())
+
+		var bufsz int
+
+		if bufsz, err = fhandle.Read(buf); err != nil {
+			if !errors.Is(err, io.EOF) {
+				log.Error().Err(err).Str("name", finfo.Name()).Msg("unable to read content")
+
+				return err
+			}
 		}
 
-		cksum := shaWriter.Sum(nil)
+		cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field
+		cksumSHA256 := sha256.Sum256(buf)
+
+		log.Info().Str("name", info.Name()).
+			Int("size", bufsz).
+			Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))).
+			Msg("file entry detected")
 
 		sfile := spdx.NewFile()
 		sfile.SetEntity(
 			&spdx.Entity{
-				Name:     finfo.Name(),
-				Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)},
+				Name: finfo.Name(),
+				Checksum: map[string]string{
+					"SHA1":   hex.EncodeToString(cksumSHA1[:]),
+					"SHA256": hex.EncodeToString(cksumSHA256[:]),
+				},
 			},
 		)
 
@@ -162,6 +181,7 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error {
 		}{
 			Person: pkg.Vendor,
 		},
+		FilesAnalyzed:   true,
 		LicenseDeclared: pkg.License,
 	}