Why not do some hashing?

cmd/iq.go

@@ -18,13 +18,14 @@ package cmd
 
 import (
 	"fmt"
+	"os"
+	"path"
+
 	"github.com/mitchellh/go-homedir"
 	"github.com/sonatype-nexus-community/ahab/internal/customerrors"
 	"github.com/sonatype-nexus-community/go-sona-types/configuration"
 	"github.com/sonatype-nexus-community/go-sona-types/ossindex/types"
 	"github.com/spf13/viper"
-	"os"
-	"path"
 
 	"github.com/sonatype-nexus-community/ahab/buildversion"
 	"github.com/sonatype-nexus-community/ahab/packages"
@@ -156,9 +157,12 @@ var iqCmd = &cobra.Command{
 			panic(err)
 		}
 
-		purls := pkgs.ExtractPurlsFromProjectList()
+		purls := pkgs.ExtractPurlObjectsFromProjectList()
+
+		hashbrowns := packages.New(logLady)
+		hashbrowns.PopulateListOfHashes(os.Getenv("PATH"))
 
-		res, err := lifecycle.AuditPackages(purls)
+		res, err := lifecycle.Audit(purls, hashbrowns.Files)
 		if err != nil {
 			logLady.Error(err)
 			panic(err)

go.mod

@@ -3,13 +3,15 @@ module github.com/sonatype-nexus-community/ahab
 go 1.14
 
 require (
+	github.com/DarthHater/packageurl-go v0.1.1-0.20201022013050-2ab9db397c59
 	github.com/common-nighthawk/go-figure v0.0.0-20200609044655-c4b36f998cf2
 	github.com/jedib0t/go-pretty/v6 v6.0.5
 	github.com/logrusorgru/aurora v2.0.3+incompatible
 	github.com/mitchellh/go-homedir v1.1.0
+	github.com/package-url/packageurl-go v0.1.0 // indirect
 	github.com/shopspring/decimal v1.2.0
 	github.com/sirupsen/logrus v1.7.0
-	github.com/sonatype-nexus-community/go-sona-types v0.0.8
+	github.com/sonatype-nexus-community/go-sona-types v0.0.9-0.20201118200801-791b1ec93137
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.7.1

go.sum

@@ -14,6 +14,8 @@ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/DarthHater/packageurl-go v0.1.1-0.20201022013050-2ab9db397c59 h1:bWN4GMTxAI4v3I412SPfXJ4Zp29zk3I6kTpwV15egMU=
+github.com/DarthHater/packageurl-go v0.1.1-0.20201022013050-2ab9db397c59/go.mod h1:/FxmOTaQ5RifcIAsSQwhXw6wOBmSi3QALI9b0M8gMnQ=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -27,6 +29,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
+github.com/briandowns/spinner v1.11.1 h1:OixPqDEcX3juo5AjQZAnFPbeUA0jvkp2qzB5gOZJ/L0=
+github.com/briandowns/spinner v1.11.1/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/common-nighthawk/go-figure v0.0.0-20200609044655-c4b36f998cf2 h1:tjT4Jp4gxECvsJcYpAMtW2I3YqzBTPuB67OejxXs86s=
@@ -44,6 +48,7 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -131,7 +136,11 @@ github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czP
 github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-colorable v0.1.2 h1:/bC9yWikZXAL9uJdulbSfyVNIR3n3trXl+v8+1sx8mU=
+github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.8 h1:HLtExJ+uU2HOZ+wI0Tt5DtUDrx8yhUqDcp7fYERX4CE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-runewidth v0.0.9 h1:Lm995f3rfxdpd6TSmuVCHVb/QhupuXlYr8sCI/QdE+0=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
@@ -193,8 +202,14 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1
 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/sonatype-nexus-community/go-sona-types v0.0.8-0.20201022160403-29083c3a505f h1:qxn7J8YS2y0e/UJjX/BRu3O+Bl+UXFL4etKlx2rj9dk=
+github.com/sonatype-nexus-community/go-sona-types v0.0.8-0.20201022160403-29083c3a505f/go.mod h1:T/m31bzGRZyWDt974xCXhnw/SDjUW3xDHC9TFoQmzPI=
 github.com/sonatype-nexus-community/go-sona-types v0.0.8 h1:6xb9BIC2w3y4kF/xQA25Zs6Yrl8ZqFkfH77AKPaG4RA=
 github.com/sonatype-nexus-community/go-sona-types v0.0.8/go.mod h1:uou8FGf9R5Nz1c6BfSM3v9K7g0R6faTYoxLh9Ybeht8=
+github.com/sonatype-nexus-community/go-sona-types v0.0.9-0.20201118195946-07d83fcf14ae h1:axT/MuydnJrJhpVUi4dkWEd3My13KyRsrGVkQljiYlA=
+github.com/sonatype-nexus-community/go-sona-types v0.0.9-0.20201118195946-07d83fcf14ae/go.mod h1:eVXlH7/wpn5XGHHT9Jv8qOT85BvG0PkBYTzWp4aLhP0=
+github.com/sonatype-nexus-community/go-sona-types v0.0.9-0.20201118200801-791b1ec93137 h1:+asaQBw/h2mTDoynIhp8dKNE87EHBTbALy9o6OItkoY=
+github.com/sonatype-nexus-community/go-sona-types v0.0.9-0.20201118200801-791b1ec93137/go.mod h1:eVXlH7/wpn5XGHHT9Jv8qOT85BvG0PkBYTzWp4aLhP0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
@@ -283,6 +298,7 @@ golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

packages/apk.go

@@ -19,6 +19,7 @@ package packages
 import (
 	"fmt"
 
+	"github.com/DarthHater/packageurl-go"
 	"github.com/sonatype-nexus-community/ahab/parse"
 )
 
@@ -33,3 +34,14 @@ func (a Apk) ExtractPurlsFromProjectList() (purls []string) {
 	}
 	return
 }
+
+func (a Apk) ExtractPurlObjectsFromProjectList() (purls []packageurl.PackageURL) {
+	for _, s := range a.ProjectList.Projects {
+		purl, err := packageurl.FromString(fmt.Sprintf("pkg:alpine/%s@%s", s.Name, s.Version))
+		if err != nil {
+			continue
+		}
+		purls = append(purls, purl)
+	}
+	return
+}

packages/apt.go

@@ -19,6 +19,7 @@ package packages
 import (
 	"fmt"
 
+	"github.com/DarthHater/packageurl-go"
 	"github.com/sonatype-nexus-community/ahab/parse"
 )
 
@@ -33,3 +34,14 @@ func (a Apt) ExtractPurlsFromProjectList() (purls []string) {
 	}
 	return
 }
+
+func (a Apt) ExtractPurlObjectsFromProjectList() (purls []packageurl.PackageURL) {
+	for _, s := range a.ProjectList.Projects {
+		purl, err := packageurl.FromString(fmt.Sprintf("pkg:deb/debian/%s@%s", s.Name, s.Version))
+		if err != nil {
+			continue
+		}
+		purls = append(purls, purl)
+	}
+	return
+}

packages/hasher.go

@@ -0,0 +1,63 @@
+package packages
+
+import (
+	"crypto/sha1"
+	"encoding/hex"
+	"io"
+	"os"
+	"path/filepath"
+
+	"github.com/sirupsen/logrus"
+	"github.com/sonatype-nexus-community/go-sona-types/cyclonedx"
+)
+
+type Hasher struct {
+	logLady *logrus.Logger
+	Files   []cyclonedx.File
+}
+
+func New(logLady *logrus.Logger) *Hasher {
+	return &Hasher{logLady: logLady}
+}
+
+func (h Hasher) PopulateListOfHashes(path string) {
+	for _, v := range filepath.SplitList(path) {
+		err := filepath.Walk(v, func(path string, f os.FileInfo, err error) (hashErr error) {
+			hashErr = h.getHashAndAppend(path)
+			if hashErr != nil {
+				return hashErr
+			}
+			return nil
+		})
+		if err != nil {
+			h.logLady.Error(err)
+		}
+	}
+}
+
+func (h *Hasher) getHashAndAppend(path string) (err error) {
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	hashString, err := h.getSha1(f)
+	if err != nil {
+		return err
+	}
+	h.Files = append(h.Files, cyclonedx.File{Path: path, Extension: filepath.Ext(path), Hash: hashString})
+	return
+}
+
+func (h Hasher) getSha1(f *os.File) (hashString string, err error) {
+	hash := sha1.New()
+	if _, err = io.Copy(hash, f); err != nil {
+		h.logLady.Error(err)
+		return
+	}
+
+	hashString = hex.EncodeToString(hash.Sum(nil))
+
+	return
+}

packages/package.go

@@ -16,6 +16,9 @@
 
 package packages
 
+import "github.com/DarthHater/packageurl-go"
+
 type IPackage interface {
 	ExtractPurlsFromProjectList() []string
+	ExtractPurlObjectsFromProjectList() []packageurl.PackageURL
 }

packages/yum.go

@@ -19,6 +19,7 @@ package packages
 import (
 	"fmt"
 
+	"github.com/DarthHater/packageurl-go"
 	"github.com/sonatype-nexus-community/ahab/parse"
 )
 
@@ -33,3 +34,14 @@ func (y Yum) ExtractPurlsFromProjectList() (purls []string) {
 	}
 	return
 }
+
+func (y Yum) ExtractPurlObjectsFromProjectList() (purls []packageurl.PackageURL) {
+	for _, s := range y.ProjectList.Projects {
+		purl, err := packageurl.FromString(fmt.Sprintf("pkg:rpm/%s@%s", s.Name, s.Version))
+		if err != nil {
+			continue
+		}
+		purls = append(purls, purl)
+	}
+	return
+}