mirror of
https://github.com/anchore/syft.git
synced 2025-11-18 17:03:17 +01:00
24 lines
1.7 KiB
Go
24 lines
1.7 KiB
Go
package model
|
|
|
|
// Why are there two package identifier fields Package Checksum and Package Verification?
|
|
// Although the values of the two fields Package Checksum and Package Verification are similar, they each serve a
|
|
// different purpose. The Package Checksum provides a unique identifier of a software package which is computed by
|
|
// taking the SHA1 of the entire software package file. This enables one to quickly determine if two different copies
|
|
// of a package are the same. One disadvantage of this approach is that one cannot add an SPDX data file into the
|
|
// original package without changing the Package Checksum value. Alternatively, the Package Verification field enables
|
|
// the inclusion of an SPDX file. It enables one to quickly verify if one or more of the original package files has
|
|
// changed. The Package Verification field is a unique identifier that is based on SHAing only the original package
|
|
// files (e.g., excluding the SPDX file). This allows one to add an SPDX file to the original package without changing
|
|
// this unique identifier.
|
|
// source: https://wiki.spdx.org/view/SPDX_FAQ
|
|
type PackageVerificationCode struct {
|
|
// "A file that was excluded when calculating the package verification code. This is usually a file containing
|
|
// SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded
|
|
// from the package verification code. If this is not done it would be impossible to correctly calculate the
|
|
// verification codes in both files.
|
|
PackageVerificationCodeExcludedFiles []string `json:"packageVerificationCodeExcludedFiles"`
|
|
|
|
// The actual package verification code as a hex encoded value.
|
|
PackageVerificationCodeValue string `json:"packageVerificationCodeValue"`
|
|
}
|