search

sigstore / rekor

Software Supply Chain Transparency Log
https://sigstore.dev
Apache License 2.0
873 stars 161 forks source link

SBOMs report all-zero SHA1 hash for release binaries #2175

Open hidde-jan opened 1 month ago

hidde-jan commented 1 month ago

Description

When inspecting the SBOMs attached to the latest release of rekor, the reported SHA1 hashes are all-zero. For example:

{
  //...
    "files": [
        {
            "fileName": "/rekor-cli-linux-amd64",
            "SPDXID": "SPDXRef-File-rekor-cli-linux-amd64-364aab0fbaf403d4",
            "checksums": [
                {
                    "algorithm": "SHA1",
                    "checksumValue": "0000000000000000000000000000000000000000"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "copyrightText": ""
        }
    ],
  //...
}

A quick inspection seems to indicate these SBOMs are generated by goreleaser.

Ideally, the sbom would include a proper hash of the binary.

Version

Not applicable

haydentherapper commented 1 month ago

@cpanato any idea why? At a glance at documentation, I don’t see anything about configuring checksums

cpanato commented 1 month ago

I've reproduced the issue, and it is not in the goreleaser, it is in the syft tool that is used to generate the sbom

and seems there is an issue already for this https://github.com/anchore/syft/issues/2307