Hello! As I was re-implementing the VEX.CanonicalHash function in Java for jvex to achieve consistent document ID generation between libraries, I noticed the VEX.CanonicalHash algorithm implementation includes a superfluous colon delimiter, and misses a necessary colon delimiter. It sounds trivial, but these delimiters change the entire hash.
Extra Colon Delimiter
The entry point of the cstringFromComponent function appends the Component's ID with a leading colon delimiter. The return value of this function is then appended to the caller's cString with another leading colon.
The result is a cString that includes two colon delimiters like the following, when there should only be one:
1673917636::pkg:oci/git@sha256
Missing Colon Delimiter
The cstringFromVulnerability function creates a string of colon-delimited vulnerabilities, but does not include a leading colon delimiter. The return value is then appended to the caller's cString without a colon delimiter.
Hello! As I was re-implementing the
VEX.CanonicalHash
function in Java for jvex to achieve consistent document ID generation between libraries, I noticed theVEX.CanonicalHash
algorithm implementation includes a superfluous colon delimiter, and misses a necessary colon delimiter. It sounds trivial, but these delimiters change the entire hash.Extra Colon Delimiter The entry point of the
cstringFromComponent
function appends the Component's ID with a leading colon delimiter. The return value of this function is then appended to the caller'scString
with another leading colon.https://github.com/openvex/go-vex/blob/23adb1b9dbecd9547d6b9794a7cd221d7966c242/pkg/vex/vex.go#L250 https://github.com/openvex/go-vex/blob/23adb1b9dbecd9547d6b9794a7cd221d7966c242/pkg/vex/vex.go#L235
The result is a
cString
that includes two colon delimiters like the following, when there should only be one:Missing Colon Delimiter The
cstringFromVulnerability
function creates a string of colon-delimited vulnerabilities, but does not include a leading colon delimiter. The return value is then appended to the caller'scString
without a colon delimiter.https://github.com/openvex/go-vex/blob/23adb1b9dbecd9547d6b9794a7cd221d7966c242/pkg/vex/vex.go#L273 https://github.com/openvex/go-vex/blob/23adb1b9dbecd9547d6b9794a7cd221d7966c242/pkg/vex/vex.go#L214
The result is no colon delimiter between the vulnerability alias's string (
GHSA-jfh8-c2jp-5v3q
) and the vulnerability name (CVE-2021-44228
)