Hashes in JSON output are not deterministically ordered

[karsten-klein]

When I create an SPDX document with multiple hashes on a package, the order of the hashes in the output json varies.

The hashes should follow a deterministic ordering.

Please let us know whether we shall prepare an PR for this. Perhaps it must be generalized to other output formats as well to produce comparable outputs.

Regards, Karsten

[goneall]

@karsten-klein - Thanks for raising the issue. I agree, it should be deterministic.

There is already a sorting in the JSON output, it must somehow miss the hash algorithms.

Since there are substantial changes to the SPDX 3 version, I would prefer to make the changes there to avoid merge conflicts unless you consider this to be a serious enough issue for a patch release.

If a PR could be opened against the v3 branch of the spdx-java-jackson-store repo where the sort is done, that would be great.