mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 16:33:21 +01:00
706322f826
* add initial spdx support Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * expose FileOwner and use in SPDX presenter Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add initial json support for SPDX Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add remaining package fields Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add spdx license list generation + tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * keep fileOwner unexported from pkg Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * restore cli test util Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add external refs to spdx tag-value format Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add golang support to CPE generation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use tag-value format as default "spdx" format flavor Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add tests around spdx presenters + refactor presenter tests Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add bouncer exception for spdx tools-golang repo Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove spdx model questions Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
24 lines
1.7 KiB
Go
24 lines
1.7 KiB
Go
package spdx22
|
|
|
|
// Why are there two package identifier fields Package Checksum and Package Verification?
|
|
// Although the values of the two fields Package Checksum and Package Verification are similar, they each serve a
|
|
// different purpose. The Package Checksum provides a unique identifier of a software package which is computed by
|
|
// taking the SHA1 of the entire software package file. This enables one to quickly determine if two different copies
|
|
// of a package are the same. One disadvantage of this approach is that one cannot add an SPDX data file into the
|
|
// original package without changing the Package Checksum value. Alternatively, the Package Verification field enables
|
|
// the inclusion of an SPDX file. It enables one to quickly verify if one or more of the original package files has
|
|
// changed. The Package Verification field is a unique identifier that is based on SHAing only the original package
|
|
// files (e.g., excluding the SPDX file). This allows one to add an SPDX file to the original package without changing
|
|
// this unique identifier.
|
|
// source: https://wiki.spdx.org/view/SPDX_FAQ
|
|
type PackageVerificationCode struct {
|
|
// "A file that was excluded when calculating the package verification code. This is usually a file containing
|
|
// SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded
|
|
// from the package verification code. If this is not done it would be impossible to correctly calculate the
|
|
// verification codes in both files.
|
|
PackageVerificationCodeExcludedFiles []string `json:"packageVerificationCodeExcludedFiles"`
|
|
|
|
// The actual package verification code as a hex encoded value.
|
|
PackageVerificationCodeValue string `json:"packageVerificationCodeValue"`
|
|
}
|