Checksum is 0 for spdx files

[coheigea]

What happened:

An SPDX json report contains a 0 value for the file checksum. It looks like it is not adding/using the path. If you give me some pointers I can take a look at a PR.

"files": [
  {
   "fileName": "/activemq-osgi-5.18.2.jar",
   "SPDXID": "SPDXRef-File-activemq-osgi-5.18.2.jar-57d3ba18b01bbbb8",
   "checksums": [
    {
     "algorithm": "SHA1",
     "checksumValue": "0000000000000000000000000000000000000000"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "copyrightText": ""
  }
 ],

What you expected to happen:

Correct file checksum, like in the packages section.

Steps to reproduce the issue:

• wget https://repo1.maven.org/maven2/org/apache/activemq/activemq-osgi/5.18.2/activemq-osgi-5.18.2.jar
• syft packages ./activemq-osgi-5.18.2.jar -o spdx-json > activemq.json

Anything else we need to know?:

Environment:

• syft 0.95.0

[kzantow]

The latest version of Syft (0.97.1) seems to be omitting these empty checksums; following the steps above, the files section has:

 "files": [
  {  
   "id": "57d3ba18b01bbbb8",
   "location": {
    "path": "/activemq-osgi-5.18.2.jar"
   }
  }
 ],

... and when enabling SHA1 checksums:

{  
   "id": "57d3ba18b01bbbb8",
   "location": {
    "path": "/activemq-osgi-5.18.2.jar"
   },
   "metadata": {
    "mode": 644,
    "type": "RegularFile",
    "userID": 501,
    "groupID": 20,
    "mimeType": "application/jar",
    "size": 13242590
   },
   "digests": [
    {
     "algorithm": "sha1",
     "value": "3be830039fd9548f1e422fbbe0b6d47013cb9ac1"
    }
   ]
  }

Since this seems to be working as expected, I'm going to close it for now, but please do reopen if it continues to be an issue for you!

[coheigea]

@kzantow This is what I see with 0.97.1 activemq.json

As you can see it still has the 000 checksum

[kzantow]

@coheigea I apparently didn't actually follow your steps to reproduce accurately, the issue definitely exists when using the right output format; apologies!

[yves-bischoff]

Any update on this issue?