From ec18e3641402e496b30ae6cfc40e81aae85c7a6c Mon Sep 17 00:00:00 2001
From: Adam Farley <adfarley@redhat.com>
Date: Tue, 19 Mar 2024 14:02:54 +0000
Subject: [PATCH] Correct SBOM Generation Dependency SHAs (#3713)

Provide SHAs for the individual JARs, rather than using the
CycloneDX core jar sha for non-CycloneDX jars.

Signed-off-by: Adam Farley <adfarley@redhat.com>
---
 sbin/build.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sbin/build.sh b/sbin/build.sh
index 18d990ed0..54e1bc807 100755
--- a/sbin/build.sh
+++ b/sbin/build.sh
@@ -1038,9 +1038,9 @@ addCycloneDXVersions() {
        for JAR in "${CYCLONEDB_DIR}/build/jar"/*.jar; do
          JarName=$(basename "$JAR")
          if [ "$(uname)" = "Darwin" ]; then
-            JarSha=$(shasum -a 256 "${CYCLONEDB_DIR}/build/jar/cyclonedx-core-java.jar" | cut -d' ' -f1)
+            JarSha=$(shasum -a 256 "$JAR" | cut -d' ' -f1)
          else
-            JarSha=$(sha256sum "${CYCLONEDB_DIR}/build/jar/cyclonedx-core-java.jar" | cut -d' ' -f1)
+            JarSha=$(sha256sum "$JAR" | cut -d' ' -f1)
          fi
          addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}" "${JarSha}"
        done