internal/openvex: add hash for doc ID

Maceo Thompson · Maceo Thompson · commit ce0605bc84d9 · 2024-06-03T16:25:45.000Z
updates golang/go#62486 Change-Id: I741ee275288b978becb46d5072ae22857152f2b6 Reviewed-on: https://go-review.googlesource.com/c/vuln/+/575860 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
diff --git a/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct b/cmd/govulncheck/testdata/common/testfiles/binary-call/binary_vex.ct
@@ -3,7 +3,7 @@
 $ govulncheck -format openvex -mode binary ${common_vuln_binary}
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "govulncheckVEX",
+  "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,
diff --git a/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct b/cmd/govulncheck/testdata/common/testfiles/source-call/source_call_vex.ct
@@ -3,7 +3,7 @@
 $ govulncheck -C ${moddir}/vuln -format openvex ./...
 {
   "@context": "https://openvex.dev/ns/v0.2.0",
-  "@id": "govulncheckVEX",
+  "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",
   "author": "Unknown Author",
   "timestamp": "2024-01-01T00:00:00",
   "version": 1,
diff --git a/internal/openvex/handler.go b/internal/openvex/handler.go
@@ -5,6 +5,7 @@
 package openvex
 
 import (
+	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -88,14 +89,16 @@ func (h *handler) Flush() error {
 
 func toVex(h *handler) Document {
 	doc := Document{
-		ID:         "govulncheckVEX", // TODO: create hash from document for ID
 		Context:    ContextURI,
 		Author:     DefaultAuthor,
 		Timestamp:  time.Now().UTC(),
 		Version:    1,
 		Tooling:    Tooling,
 		Statements: statements(h),
 	}
+
+	id := hashVex(doc)
+	doc.ID = "govulncheck/vex:" + id
 	return doc
 }
 
@@ -160,3 +163,21 @@ func statements(h *handler) []Statement {
 	})
 	return statements
 }
+
+func hashVex(doc Document) string {
+	// json.Marshal should never error here (because of the structure of Document).
+	// If an error does occur, it won't be a jsonerror, but instead a panic
+	d := Document{
+		Context:    doc.Context,
+		ID:         doc.ID,
+		Author:     doc.Author,
+		Version:    doc.Version,
+		Tooling:    doc.Tooling,
+		Statements: doc.Statements,
+	}
+	out, err := json.Marshal(d)
+	if err != nil {
+		panic(err)
+	}
+	return fmt.Sprintf("%x", sha256.Sum256(out))
+}

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`$ govulncheck -format openvex -mode binary ${common_vuln_binary}`
`4`	`4`	`{`
`5`	`5`	`"@context": "https://openvex.dev/ns/v0.2.0",`
`6`		`- "@id": "govulncheckVEX",`
	`6`	`+ "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",`
`7`	`7`	`"author": "Unknown Author",`
`8`	`8`	`"timestamp": "2024-01-01T00:00:00",`
`9`	`9`	`"version": 1,`
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`$ govulncheck -C ${moddir}/vuln -format openvex ./...`
`4`	`4`	`{`
`5`	`5`	`"@context": "https://openvex.dev/ns/v0.2.0",`
`6`		`- "@id": "govulncheckVEX",`
	`6`	`+ "@id": "govulncheck/vex:b2e8274f24820051d79285827c4fe6e1912c99143a4693804b9a5c366ec5fb8d",`
`7`	`7`	`"author": "Unknown Author",`
`8`	`8`	`"timestamp": "2024-01-01T00:00:00",`
`9`	`9`	`"version": 1,`