Add archive checksum (ossf#978)

* added sha256 checksum of archive in staticanalysis result Signed-off-by: h0x0er <jatink843@protonmail.com> * logging error instead of returning Signed-off-by: h0x0er <jatink843@protonmail.com> * nit: removed unnecessary format Signed-off-by: h0x0er <jatink843@protonmail.com> --------- Signed-off-by: h0x0er <jatink843@protonmail.com>
another-rex · Dec 11, 2023 · 40fa3a1 · 40fa3a1
1 parent f98d3b4
commit 40fa3a1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/internal/staticanalysis/result.go b/internal/staticanalysis/result.go
@@ -13,7 +13,8 @@ import (
 // Result (staticanalysis.Result) is the top-level internal data structure
 // that stores all data produced by static analysis performed on a package artifact.
 type Result struct {
-	Files []SingleResult
+	ArchiveSHA256 string
+	Files         []SingleResult
 }
 
 /*

diff --git a/sandboxes/staticanalysis/staticanalyze.go b/sandboxes/staticanalysis/staticanalyze.go
@@ -180,6 +180,14 @@ func run() (err error) {
 		return fmt.Errorf("static analysis error: %w", err)
 	}
 
+	startHashTime := time.Now()
+	archiveHash, err := utils.SHA256Hash(archivePath)
+	if err != nil {
+		slog.WarnContext(ctx, "failed to calculate archive checksum", "error", err)
+	}
+	results.ArchiveSHA256 = archiveHash
+	hashTime := time.Since(startHashTime)
+
 	startWritingResultsTime := time.Now()
 
 	jsonResult, err := json.Marshal(results)
@@ -209,11 +217,12 @@ func run() (err error) {
 	writingResultsTime := time.Since(startWritingResultsTime)
 
 	totalTime := time.Since(startTime)
-	otherTime := totalTime - writingResultsTime - analysisTime - extractionTime
+	otherTime := totalTime - writingResultsTime - analysisTime - extractionTime - hashTime
 
 	slog.InfoContext(ctx, "Execution times",
 		"download and extraction", extractionTime,
 		"analysis", analysisTime,
+		"sha256Hash calculation", hashTime,
 		"writing results", writingResultsTime,
 		"other", otherTime,
 		"total", totalTime)