Finalize fingerprinting implementation for SBoM sources

Why are we doing this work

In the initial implementation for the source parser we used a SHA-256 digest of the data, converted to JSON. There are multiple problems with this.

JSON is malleable. It's possible that the same data could produce different JSONs.
There are performance concerns with to_json

Once we begin populating the data into the DB, we will be hard-pressed to change the fingerprinting scheme. So, we should figure out how to best implement it now.

Relevant links

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Finalize fingerprinting implementation for SBoM sources

Why are we doing this work

Relevant links

Non-functional requirements

Implementation plan

Verification steps