From c2918717055dcf58f33cf584b96b84cca3f7d71c Mon Sep 17 00:00:00 2001
From: Fabrice Fontaine <fabrice.fontaine@orange.com>
Date: Wed, 17 Sep 2025 15:14:34 +0200
Subject: [PATCH] feat(sbom): add checksum

Use path to compute a checksum for the package. It is useful to identify
if a package has changed or not.

Signed-off-by: Fabrice Fontaine <fabrice.fontaine@orange.com>
---
 cve_bin_tool/sbom_manager/generate.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cve_bin_tool/sbom_manager/generate.py b/cve_bin_tool/sbom_manager/generate.py
index aa377bfb21..fea94c3a87 100644
--- a/cve_bin_tool/sbom_manager/generate.py
+++ b/cve_bin_tool/sbom_manager/generate.py
@@ -1,6 +1,7 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import hashlib
 from logging import Logger
 from pathlib import Path
 from typing import Optional
@@ -113,6 +114,10 @@ def generate_sbom(self) -> None:
                     product_data
                 ].get("paths"):
                     for path in self.all_cve_data[product_data]["paths"]:
+                        with open(path.split()[0], "rb") as f:
+                            file_data = f.read()
+                        sha256_hash = hashlib.sha256(file_data)
+                        my_package.set_checksum("SHA256", sha256_hash.hexdigest())
                         if self.strip_scan_dir:
                             evidence = strip_path(path, self.sbom_root)
                         else: