opentelemetry-collector-releases icon indicating copy to clipboard operation
opentelemetry-collector-releases copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Added checksums for content inside archives for SBOM.jsons

Open aidanhall34 opened this issue 1 year ago • 1 comments

Hi All,

Going to apologise in advance if I have not done this correctly. I'm fairly new to contributing to OS projects, especially one as big as OpenTelemetry. Feel free to give me any "contributor" pointers so I can be a good open source citizen.

As far as I am aware, checksums are provided for archive files but not there contents. I have a use case where I want the checksum of the binary inside the archive before I download them.

I have added some syft envvars to the cmd/goreleaser/internal/configure.go config.SBOM struct that will provide checksums for archive contents.

Files section before the change reference file 
  "files":
    [
      {
        "fileName": "otelcol-contrib",
        "SPDXID": "SPDXRef-File-otelcol-contrib-8f08648b0a2b389a",
        "checksums":
          [
            {
              "algorithm": "SHA1",
              "checksumValue": "0000000000000000000000000000000000000000",
            },
          ],
        "licenseConcluded": "NOASSERTION",
        "licenseInfoInFiles": ["NOASSERTION"],
        "copyrightText": "",
      },
    ],
Files section after the change 
    "files": [
        {
            "fileName": "/tmp/syft-archive-contents-833386759",
            "SPDXID": "SPDXRef-File-tmp-syft-archive-contents-833386759-60e2698d628d456f",
            "fileTypes": [
                "OTHER"
            ],
            "checksums": [
                {
                    "algorithm": "SHA1",
                    "checksumValue": "0000000000000000000000000000000000000000"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        },
        {
            "fileName": "README.md",
            "SPDXID": "SPDXRef-File-README.md-367a886d576a2cf3",
            "fileTypes": [
                "TEXT"
            ],
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "b38ed0afb0c73ff4e6371e4444c267b55cf543f939bca481d938e6bbe871825a"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        },
        {
            "fileName": "otelcol",
            "SPDXID": "SPDXRef-File-otelcol-d0b37298759a7bad",
            "fileTypes": [
                "APPLICATION",
                "BINARY"
            ],
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "dcb7367e6376c42697cd955cd2f27b212bcfc99c16b6007ae1dd81cb781b582e"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        }
    ],

Checking the checksum: image

I hope this can be merged as it'll save me a few clicks per release upgrade.

Thanks! Aidan

aidanhall34 avatar Sep 26 '24 05:09 aidanhall34

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: aidanhall34 / name: Aidan Hall (67837ea6f38f2e523aa1a858778570d2e424cb71, c93a3f44f35ec13dbedb4da79b125d4578f56d3c, 9436ba6af902d98e7a8d32004eb27059f49d7c79)

linux-foundation-easycla[bot] avatar Sep 26 '24 05:09 linux-foundation-easycla[bot]

This PR was marked stale due to lack of activity. It will be closed in 14 days.

github-actions[bot] avatar Apr 22 '25 09:04 github-actions[bot]

Closed as inactive. Feel free to reopen if this PR is still being worked on.

github-actions[bot] avatar May 07 '25 05:05 github-actions[bot]