Component hash/SHA validation: helm
Component hash/SHA validation
Implement hash/checksum validation for all collected components.
Description
For each collector plugin, implement the following:
- After collecting component, generate its hash (using helper function
hoppr.net.get_file_hash
) - If package manager provides hash/SHA of component:
- Verify generated hash matches package manager-provided hash
- If user-provided SBOM component has a hash/SHA:
- Verify generated hash matches SBOM component hash
- Write generated hash to the component in the delivered SBOM
Additional info
See the corresponding helpers in the OpenSSF Scorecard plugin for potential API endpoints where the hash might be retrieved from the respective package manager.
See the experimental Maven collector and experimental RPM collector for examples.
Edited by Patrick Kwiatkowski