Added checksums for content inside archives for SBOM.jsons

[aidanhall34]

Hi All,

Going to apologise in advance if I have not done this correctly. I'm fairly new to contributing to OS projects, especially one as big as OpenTelemetry. Feel free to give me any "contributor" pointers so I can be a good open source citizen.

As far as I am aware, checksums are provided for archive files but not there contents.
I have a use case where I want the checksum of the binary inside the archive before I download them.

I have added some syft envvars to the cmd/goreleaser/internal/configure.go config.SBOM struct that will provide checksums for archive contents.

Files section before the change reference file

  "files":
    [
      {
        "fileName": "otelcol-contrib",
        "SPDXID": "SPDXRef-File-otelcol-contrib-8f08648b0a2b389a",
        "checksums":
          [
            {
              "algorithm": "SHA1",
              "checksumValue": "0000000000000000000000000000000000000000",
            },
          ],
        "licenseConcluded": "NOASSERTION",
        "licenseInfoInFiles": ["NOASSERTION"],
        "copyrightText": "",
      },
    ],

Files section after the change

    "files": [
        {
            "fileName": "/tmp/syft-archive-contents-833386759",
            "SPDXID": "SPDXRef-File-tmp-syft-archive-contents-833386759-60e2698d628d456f",
            "fileTypes": [
                "OTHER"
            ],
            "checksums": [
                {
                    "algorithm": "SHA1",
                    "checksumValue": "0000000000000000000000000000000000000000"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        },
        {
            "fileName": "README.md",
            "SPDXID": "SPDXRef-File-README.md-367a886d576a2cf3",
            "fileTypes": [
                "TEXT"
            ],
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "b38ed0afb0c73ff4e6371e4444c267b55cf543f939bca481d938e6bbe871825a"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        },
        {
            "fileName": "otelcol",
            "SPDXID": "SPDXRef-File-otelcol-d0b37298759a7bad",
            "fileTypes": [
                "APPLICATION",
                "BINARY"
            ],
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "dcb7367e6376c42697cd955cd2f27b212bcfc99c16b6007ae1dd81cb781b582e"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "licenseInfoInFiles": [
                "NOASSERTION"
            ],
            "copyrightText": ""
        }
    ],

Checking the checksum:

I hope this can be merged as it'll save me a few clicks per release upgrade.

Thanks!
Aidan

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: aidanhall34 / name: Aidan Hall (67837ea, c93a3f4, 9436ba6)