RodneyRichardson
commented
2 years ago I can see that every single package in the "docker" version (except spdx-sbom-generator itself) has the same SHA256 Package Checksum: PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Description
Running the spdx-sbom-generator built with docker provided image and built locally with same Go version (Go1.16.5) calculates different hash value for every dependent package of matching version.
Expected Results
SHA256 for the exact same package (name and version) must be the same otherwise one cannot verify that the package have not changed.
Details
Inspecting the SHA256 value generated for the same package
in each BOM file had a different hash value calculated.
Attached files, one generated with docker image the other with locally built. From locally built BOM file (bom-go-mod_go1.16.5.spdx.txt):
`##### Package representing the github.com/sirupsen/logrus
PackageName: github.com/sirupsen/logrus SPDXID: SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 PackageVersion: v1.8.1 PackageSupplier: Organization: github.com/sirupsen/logrus PackageDownloadLocation: https://github.com/sirupsen/logrus/releases/tag/v1.8.1 FilesAnalyzed: false PackageChecksum: SHA256: 7f14e6c0671df07198ab98bbff04d56fc4cbf7adfa0d9b83f42b97b9150c6a5e PackageHomePage: https://github.com/sirupsen/logrus `
From Docker BOM file (bom-go-mod_docker_go1.16.5.spdx.txt):
`##### Package representing the github.com/sirupsen/logrus
PackageName: github.com/sirupsen/logrus SPDXID: SPDXRef-Package-github.com.sirupsen.logrus-v1.8.1 PackageVersion: v1.8.1 PackageSupplier: Organization: github.com/sirupsen/logrus PackageDownloadLocation: https://github.com/sirupsen/logrus/releases/tag/v1.8.1 FilesAnalyzed: false PackageChecksum: SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 PackageHomePage: https://github.com/sirupsen/logrus`
Reference - Uploaded files
bom-go-mod_docker_go1.16.5.spdx.txt bom-go-mod_go1.16.5.spdx.txt