From a053a7d6c584e7c2c324987b054ade632fa78a0d Mon Sep 17 00:00:00 2001 From: Ramkumar Chinchani Date: Sat, 16 Dec 2023 07:27:44 +0000 Subject: [PATCH] fix: make the spdx output more complete sha1 checksums are commonly checked by existing scanners/tools. Some of the fields are not set, so set them. Signed-off-by: Ramkumar Chinchani --- pkg/distro/apk/apk.go | 49 +++++++++++++++++++++++++---------- pkg/distro/deb/deb.go | 44 +++++++++++++++++++++++-------- pkg/distro/rpm/rpm.go | 60 ++++++++++++++++++++++++++++++++++--------- 3 files changed, 118 insertions(+), 35 deletions(-) diff --git a/pkg/distro/apk/apk.go b/pkg/distro/apk/apk.go index 07ef519..5fb9402 100644 --- a/pkg/distro/apk/apk.go +++ b/pkg/distro/apk/apk.go @@ -4,6 +4,7 @@ import ( "archive/tar" "bufio" "compress/gzip" + "crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field "crypto/sha256" "encoding/base64" "encoding/hex" @@ -93,6 +94,7 @@ func ParsePackage(input, output, author, organization, license string) error { }{ Person: apk.PkgInfo.PkgMaintainer, }, + FilesAnalyzed: true, LicenseDeclared: pkglicense, } @@ -151,17 +153,21 @@ func ParsePackage(input, output, author, organization, license string) error { } } - cksum := sha256.Sum256(buf) + cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field + cksumSHA256 := sha256.Sum256(buf) log.Info().Str("name", hdr.Name). Int("size", bufsz). - Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksum[:]))). + Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))). Msg("file entry detected") sfile := &spdx.File{ Entity: spdx.Entity{ - Name: fmt.Sprintf("/%s", hdr.Name), - Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum[:])}, + Name: fmt.Sprintf("/%s", hdr.Name), + Checksum: map[string]string{ + "SHA1": hex.EncodeToString(cksumSHA1[:]), + "SHA256": hex.EncodeToString(cksumSHA256[:]), + }, }, } if err := spkg.AddFile(sfile); err != nil { @@ -192,11 +198,12 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error }{ Person: pkg.PackageMaintainer, }, + FilesAnalyzed: true, LicenseDeclared: pkg.PackageLicense, } for _, file := range files { - sinfo, err := os.Stat(file) + info, err := os.Stat(file) if err != nil { if errors.Is(err, os.ErrNotExist) { continue @@ -205,8 +212,8 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error return err } - if !sinfo.Mode().IsRegular() { - log.Warn().Str("file", file).Interface("mode", sinfo.Mode()).Msg("skipping entry since not a regular file") + if !info.Mode().IsRegular() { + log.Warn().Str("file", file).Interface("mode", info.Mode()).Msg("skipping entry since not a regular file") continue } @@ -217,18 +224,34 @@ func InstalledPackage(doc *spdx.Document, pkg *IndexEntry, files []string) error } defer fhandle.Close() - shaWriter := sha256.New() - if _, err := io.Copy(shaWriter, fhandle); err != nil { - return err + buf := make([]byte, info.Size()) + + var bufsz int + + if bufsz, err = fhandle.Read(buf); err != nil { + if !errors.Is(err, io.EOF) { + log.Error().Err(err).Str("name", info.Name()).Msg("unable to read content") + + return err + } } - cksum := shaWriter.Sum(nil) + cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field + cksumSHA256 := sha256.Sum256(buf) + + log.Info().Str("name", info.Name()). + Int("size", bufsz). + Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))). + Msg("file entry detected") sfile := spdx.NewFile() sfile.SetEntity( &spdx.Entity{ - Name: file, - Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)}, + Name: file, + Checksum: map[string]string{ + "SHA1": hex.EncodeToString(cksumSHA1[:]), + "SHA256": hex.EncodeToString(cksumSHA256[:]), + }, }, ) diff --git a/pkg/distro/deb/deb.go b/pkg/distro/deb/deb.go index eeb76f2..2906e89 100644 --- a/pkg/distro/deb/deb.go +++ b/pkg/distro/deb/deb.go @@ -3,6 +3,7 @@ package deb import ( "archive/tar" "bufio" + "crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field "encoding/hex" "errors" "fmt" @@ -48,6 +49,7 @@ func ParsePackage(input, output, author, organization, license string) error { }{ Person: debfile.Control.Maintainer, }, + FilesAnalyzed: true, LicenseDeclared: license, } @@ -87,17 +89,21 @@ func ParsePackage(input, output, author, organization, license string) error { } } - cksum := sha256.Sum256(buf) + cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field + cksumSHA256 := sha256.Sum256(buf) log.Info().Str("name", hdr.Name). Int("size", bufsz). - Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksum[:]))). + Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))). Msg("file entry detected") sfile := &spdx.File{ Entity: spdx.Entity{ - Name: hdr.Name[1:], - Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum[:])}, + Name: hdr.Name[1:], + Checksum: map[string]string{ + "SHA1": hex.EncodeToString(cksumSHA1[:]), + "SHA256": hex.EncodeToString(cksumSHA256[:]), + }, }, } if err := spkg.AddFile(sfile); err != nil { @@ -277,6 +283,7 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error { }{ Person: pkg.Maintainer, }, + FilesAnalyzed: true, LicenseDeclared: "unknown", } @@ -303,24 +310,41 @@ func InstalledPackage(doc *spdx.Document, pkg Package, path string) error { continue } + // FIXME: also compute sha1 fhandle, err := os.Open(line) if err != nil { return err } defer fhandle.Close() - shaWriter := sha256.New() - if _, err := io.Copy(shaWriter, fhandle); err != nil { - return err + buf := make([]byte, info.Size()) + + var bufsz int + + if bufsz, err = fhandle.Read(buf); err != nil { + if !errors.Is(err, io.EOF) { + log.Error().Err(err).Str("name", info.Name()).Msg("unable to read content") + + return err + } } - cksum := shaWriter.Sum(nil) + cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field + cksumSHA256 := sha256.Sum256(buf) + + log.Info().Str("name", info.Name()). + Int("size", bufsz). + Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))). + Msg("file entry detected") sfile := spdx.NewFile() sfile.SetEntity( &spdx.Entity{ - Name: line, - Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)}, + Name: line, + Checksum: map[string]string{ + "SHA1": hex.EncodeToString(cksumSHA1[:]), + "SHA256": hex.EncodeToString(cksumSHA256[:]), + }, }, ) diff --git a/pkg/distro/rpm/rpm.go b/pkg/distro/rpm/rpm.go index d4e68ae..2554a9b 100644 --- a/pkg/distro/rpm/rpm.go +++ b/pkg/distro/rpm/rpm.go @@ -1,8 +1,10 @@ package rpm import ( + "crypto/sha1" //nolint:gosec // used only to produce the sha1 checksum field "crypto/sha256" "encoding/hex" + "errors" "fmt" "io" "os" @@ -87,6 +89,7 @@ func ParsePackage(input, output, author, organization, license string) error { }{ Organization: vendor[0], }, + FilesAnalyzed: true, LicenseDeclared: pkglicense, } @@ -119,18 +122,34 @@ func ParsePackage(input, output, author, organization, license string) error { } defer fhandle.Close() - shaWriter := sha256.New() - if _, err := io.Copy(shaWriter, fhandle); err != nil { - return err + buf := make([]byte, info.Size()) + + var bufsz int + + if bufsz, err = fhandle.Read(buf); err != nil { + if !errors.Is(err, io.EOF) { + log.Error().Err(err).Str("name", finfo.Name()).Msg("unable to read content") + + return err + } } - cksum := shaWriter.Sum(nil) + cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field + cksumSHA256 := sha256.Sum256(buf) + + log.Info().Str("name", info.Name()). + Int("size", bufsz). + Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))). + Msg("file entry detected") sfile := spdx.NewFile() sfile.SetEntity( &spdx.Entity{ - Name: finfo.Name(), - Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)}, + Name: finfo.Name(), + Checksum: map[string]string{ + "SHA1": hex.EncodeToString(cksumSHA1[:]), + "SHA256": hex.EncodeToString(cksumSHA256[:]), + }, }, ) @@ -162,6 +181,7 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error { }{ Person: pkg.Vendor, }, + FilesAnalyzed: true, LicenseDeclared: pkg.License, } @@ -190,18 +210,34 @@ func InstalledPackage(doc *spdx.Document, pkg *rpmdb.PackageInfo) error { } defer fhandle.Close() - shaWriter := sha256.New() - if _, err := io.Copy(shaWriter, fhandle); err != nil { - return err + buf := make([]byte, info.Size()) + + var bufsz int + + if bufsz, err = fhandle.Read(buf); err != nil { + if !errors.Is(err, io.EOF) { + log.Error().Err(err).Str("name", info.Name()).Msg("unable to read content") + + return err + } } - cksum := shaWriter.Sum(nil) + cksumSHA1 := sha1.Sum(buf) //nolint:gosec // used only to produce the sha1 checksum field + cksumSHA256 := sha256.Sum256(buf) + + log.Info().Str("name", info.Name()). + Int("size", bufsz). + Str("cksum", fmt.Sprintf("SHA256:%s", hex.EncodeToString(cksumSHA256[:]))). + Msg("file entry detected") sfile := spdx.NewFile() sfile.SetEntity( &spdx.Entity{ - Name: ifile.Path, - Checksum: map[string]string{"SHA256": hex.EncodeToString(cksum)}, + Name: ifile.Path, + Checksum: map[string]string{ + "SHA1": hex.EncodeToString(cksumSHA1[:]), + "SHA256": hex.EncodeToString(cksumSHA256[:]), + }, }, )