feat(sbom): add SHA-512 hash support for CycloneDX SBOM (aquasecurity#9126)

Author: attiand

pkg/digest/digest.go

@@ -21,7 +21,8 @@ func (a Algorithm) String() string {
 const (
 	SHA1   Algorithm = "sha1"   // sha1 with hex encoding (lower case only)
 	SHA256 Algorithm = "sha256" // sha256 with hex encoding (lower case only)
-	MD5    Algorithm = "md5"    // md5 with hex encoding (lower case only)
+	SHA512 Algorithm = "sha512"
+	MD5    Algorithm = "md5" // md5 with hex encoding (lower case only)
 )
 
 // Digest allows simple protection of hex formatted digest strings, prefixed by their algorithm.

pkg/sbom/cyclonedx/marshal.go

@@ -273,6 +273,8 @@ func (m *Marshaler) Hashes(files []core.File) *[]cdx.Hash {
 			alg = cdx.HashAlgoSHA1
 		case digest.SHA256:
 			alg = cdx.HashAlgoSHA256
+		case digest.SHA512:
+			alg = cdx.HashAlgoSHA512
 		case digest.MD5:
 			alg = cdx.HashAlgoMD5
 		default:

pkg/sbom/cyclonedx/testdata/happy/package-hashes.json

@@ -0,0 +1,40 @@
+{
+    "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.5",
+    "serialNumber": "urn:uuid:379ddfdb-306b-44e4-bff3-9bfb9bbc5fa5",
+    "version": 1,
+    "metadata": {
+        "timestamp": "2022-05-28T10:20:03.79527Z",
+        "tools": [
+            {
+                "vendor": "aquasecurity",
+                "name": "trivy",
+                "version": "dev"
+            }
+        ],
+        "component": {
+            "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
+            "type": "container",
+            "name": "maven-test-project"
+        }
+    },
+    "components": [
+        {
+            "bom-ref": "@angular/animations@19.2.10",
+            "type": "library",
+            "name": "@angular/animations",
+            "version": "19.2.10",
+            "scope": "required",
+            "author": "angular",
+            "description": "Angular - animations integration with web-animations",
+            "purl": "pkg:npm/%40angular/animations@19.2.10",
+            "hashes": [
+                {
+                    "alg": "SHA-512",
+                    "content": "2e51fa9add03f3e308d0b57c40dc7dfeba8b2efd1609f60f4bfe625d21a92327ec7e52e83b97511a1b52e297506eee60aa69cb75ff62eebe257512637fbc1bfa"
+                }
+            ]
+        }
+    ]
+}

pkg/sbom/cyclonedx/unmarshal.go

@@ -257,6 +257,8 @@ func (b *BOM) unmarshalHashes(hashes *[]cdx.Hash) []digest.Digest {
 			alg = digest.SHA1
 		case cdx.HashAlgoSHA256:
 			alg = digest.SHA256
+		case cdx.HashAlgoSHA512:
+			alg = digest.SHA512
 		case cdx.HashAlgoMD5:
 			alg = digest.MD5
 		default:

pkg/sbom/cyclonedx/unmarshal_test.go

@@ -848,6 +848,34 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:      "SHA-512",
+			inputFile: "testdata/happy/package-hashes.json",
+			want: types.SBOM{
+				Applications: []ftypes.Application{
+					{
+						Type: ftypes.NodePkg,
+						Packages: ftypes.Packages{
+							{
+								ID:      "@angular/animations@19.2.10",
+								Name:    "@angular/animations",
+								Version: "19.2.10",
+								Identifier: ftypes.PkgIdentifier{
+									PURL: &packageurl.PackageURL{
+										Type:      packageurl.TypeNPM,
+										Namespace: "@angular",
+										Name:      "animations",
+										Version:   "19.2.10",
+									},
+									BOMRef: "@angular/animations@19.2.10",
+								},
+								Digest: "sha512:2e51fa9add03f3e308d0b57c40dc7dfeba8b2efd1609f60f4bfe625d21a92327ec7e52e83b97511a1b52e297506eee60aa69cb75ff62eebe257512637fbc1bfa",
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name:      "invalid serial",
 			inputFile: "testdata/sad/invalid-serial.json",