specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 2 weeks ago verified publisher icon CycloneDX

Add better defintion for hashes

Open tngraf opened this issue 4 years ago • 6 comments

CycloneDX is great format and can be used for multiple purposes - thank you!

CycloneDX allows to specify hashes, for integrity, for packaging, etc. You can specify the hash algorithm and the hash value.

What I am missing is for what the hash has been calculated, i.e. for which file. Imagine there is NuGet component- is the has for the Nuget package (system.buffers.4.5.1.nupkg) or for the library itself (System.Buffers.dll)? A similar question pops up when we want to add the hash of the tool that has been used to create the SBOM . is it the executable, the setup or the zip-file?

=> Wouldn't it be more suitable to add a file property to the hash?

tngraf avatar Oct 28 '21 10:10 tngraf

Great point. We follow whatever the convention is for the particular ecosystem. Which makes it easy to cross reference upstream, etc. But that should be more clear.

For NuGet it's the hash of the nupkg file itself. Note, this differs to the hash in a package lock file in case you are using one.

coderpatros avatar Oct 28 '21 10:10 coderpatros

@tngraf thanks for this issue! I've tried to figure out the answer to this question. I even needed to go through the code of CycloneDX tools :)

oxdef avatar Dec 30 '21 07:12 oxdef

I'd suggest the to use the following methods:

Have a component which was downloaded from the internet:

  • Component has an external reference of type "distribution", and the hash of the downloadable file is added to the external reference.
  • example component: 
    {
  "type": "library",
  "name": "my-lib",
  "externalReferences": [
    {
      "url": "https://acme.com/dist/my-lib.tar.gz",
      "type": "distribution",
      "hashes": [{"alg": "md5", "content": "acbd18db4cc2f85cedef654fccc4a4d8"}]
    }
  ]
}

Have component that is just one file:

  • the hash of the file is added to the component
  • example component: 
    {
  "type": "library",
  "name": "my-lib",
  "hashes": [{"alg": "md5", "content": "acbd18db4cc2f85cedef654fccc4a4d8"}]
}

Have a component that is split over multiple files

  • create a subcomponent of type "file" with the appropriate hash
  • example component: 
    {
  "type": "library",
  "name": "my-lib",
  "components": [
    {
      "type": "file",
      "name": "foo.py",
      "hashes": [{"alg": "md5", "content": "acbd18db4cc2f85cedef654fccc4a4d8"}]
    },
    {
      "type": "file",
      "name": "bar.py",
      "hashes": [{"alg": "md5", "content": "37b51d194a7513e45b56f6524f2d51f2"}]
    }
  ]

}

Of course, all the above methods can be combined.

jkowalleck avatar Feb 28 '24 14:02 jkowalleck