Hashes in JSON output are not deterministically ordered

[karsten-klein]

When I create an SPDX document with multiple hashes on a package, the order of the hashes in the output json varies.

The hashes should follow a deterministic ordering.

Please let us know whether we shall prepare an PR for this. Perhaps it must be generalized to other output formats as well to produce comparable outputs.

Regards, Karsten

[goneall]

@karsten-klein - Thanks for raising the issue. I agree, it should be deterministic.

There is already a sorting in the JSON output, it must somehow miss the hash algorithms.

Since there are substantial changes to the SPDX 3 version, I would prefer to make the changes there to avoid merge conflicts unless you consider this to be a serious enough issue for a patch release.

If a PR could be opened against the v3 branch of the spdx-java-jackson-store repo where the sort is done, that would be great.

[goneall]

@karsten-klein - Let me know if this is still an issue with the 2.0.0-RC2 version of the tools. If this is still an issue, can you post an example how to reproduce?

[bact]

@goneall @karsten-klein should we have this in the spec as well? As part of canonical serialization?

https://spdx.github.io/spdx-spec/v3.0.1/serializations/

• Arrays: An array structure is represented as square brackets surrounding zero or more items. Items are separated by commas.
• Objects: An object structure is represented as a pair of curly brackets surrounding zero or more name/value pairs (or members). A name is a string containing only ASCII characters (0x21-0x7F). The names within an object must be unique. A single colon comes after each name, separating the name from the value. A single comma separates a value from a following name. The name/value pairs are ordered by name.

Does the current spec already covered the hash ordering?