Correct SBOM Generation Dependency SHAs (#3713)

Provide SHAs for the individual JARs, rather than using the CycloneDX core jar sha for non-CycloneDX jars. Signed-off-by: Adam Farley <[email protected]>
adoptium · Mar 19, 2024 · ec18e36 · ec18e36
1 parent bb2b6c0
commit ec18e36
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/sbin/build.sh b/sbin/build.sh
@@ -1038,9 +1038,9 @@ addCycloneDXVersions() {
        for JAR in "${CYCLONEDB_DIR}/build/jar"/*.jar; do
          JarName=$(basename "$JAR")
          if [ "$(uname)" = "Darwin" ]; then
-            JarSha=$(shasum -a 256 "${CYCLONEDB_DIR}/build/jar/cyclonedx-core-java.jar" | cut -d' ' -f1)
+            JarSha=$(shasum -a 256 "$JAR" | cut -d' ' -f1)
          else
-            JarSha=$(sha256sum "${CYCLONEDB_DIR}/build/jar/cyclonedx-core-java.jar" | cut -d' ' -f1)
+            JarSha=$(sha256sum "$JAR" | cut -d' ' -f1)
          fi
          addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}" "${JarSha}"
        done