search

spdx / spdx-maven-plugin

Plugin for supporting SPDX in a Maven build.
Apache License 2.0
44 stars 26 forks source link

Checksums not generated #162

Open sgammon opened 8 months ago

sgammon commented 8 months ago

I have a project where I am using this plugin. I specified my configuration like this: pom.xml (root)

  <pluginManagement>
    <plugin>
      <groupId>org.spdx</groupId>
      <artifactId>spdx-maven-plugin</artifactId>
      <version>0.7.3</version>
    </plugin>
  </pluginManagement>

pom.xml (project)

      <plugin>
        <groupId>org.spdx</groupId>
        <artifactId>spdx-maven-plugin</artifactId>
        <executions>
          <execution>
            <id>build-spdx</id>
            <phase>install</phase>
            <goals>
              <goal>createSPDX</goal>
            </goals>
          </execution>
        </executions>
        <configuration>
          <!-- lots of config... -->
          <checksumAlgorithms>
            <checksumAlgorithm>SHA256</checksumAlgorithm>
          </checksumAlgorithms>
        </configuration>
      </plugin>

But, when the SPDX file is generated:

# lots of stuff omitted
[
  {}, {
    "SPDXID" : "SPDXRef-gnrtd20",
    "checksums" : [ {
      "algorithm" : "SHA1",
      "checksumValue" : "8e0d0d6a6e82a8b532f68ba246cf314c550d3642"
    } ],
]

I don't see SHA256 mentioned anywhere in the file. Is it supposed to show up?

goneall commented 8 months ago

I don't see SHA256 mentioned anywhere in the file. Is it supposed to show up?

Currently, only SHA1 is written since the SPDX requires SHA1 and SHA256 is optional.

We could add additional checksum algorithms - a pull request would be welcome.

sgammon commented 8 months ago

@goneall Okay. No worries. I'll see what I can do.