Add Hash Comparison Analysis

[stevespringett]

When an SBoM is uploaded and processed, compare the hashes of the component as stated in the BOM with the hashes derived from the origin repo the component was retrieved from (via Package URL), to identify modified components or potential risk of impersonated/counterfeit components of malicious intent.

[msymons]

Should this be implemented after support is added for additional repositories (such as Sonatype's Nexus)? Otherwise, the system would not know the hashes for internal components, right?

[stevespringett]

ideally, yes, after