feat(spdx-reporter): Write out the checksum for the binary package

See [1] for the background discussion.

[1]: #7064

Signed-off-by: Sebastian Schuberth <[email protected]>

model/src/main/kotlin/HashAlgorithm.kt

@@ -33,7 +33,7 @@ import org.ossreviewtoolkit.utils.common.encodeHex
  * An enum of supported hash algorithms. Each algorithm has one or more [aliases] associated to it, where the first
  * alias is the definite name.
  */
-enum class HashAlgorithm(private vararg val aliases: String, val verifiable: Boolean = true) {
+enum class HashAlgorithm(vararg val aliases: String, val verifiable: Boolean = true) {
  /**
  * No hash algorithm.
  */

plugins/reporters/spdx/src/funTest/kotlin/SpdxDocumentReporterFunTest.kt

@@ -198,14 +198,20 @@ private val ortResult = OrtResult(
  packages = setOf(
  Package(
  id = Identifier("Maven:first-package-group:first-package:0.0.1"),
- binaryArtifact = RemoteArtifact("https://some-host/first-package.jar", Hash.NONE),
+ binaryArtifact = RemoteArtifact(
+ url = "https://some-host/first-package.jar",
+ hash = Hash.create("0000000000000000000000000000000000000000")
+ ),
  concludedLicense = "BSD-2-Clause AND BSD-3-Clause AND MIT".toSpdx(),
  declaredLicenses = setOf("BSD-3-Clause", "MIT OR GPL-2.0-only"),
  description = "A package with all supported attributes set, with a VCS URL containing a user " +
  "name, and with a scan result containing two copyright finding matched to a license " +
  "finding.",
  homepageUrl = "first package's homepage URL",
- sourceArtifact = RemoteArtifact("https://some-host/first-package-sources.jar", Hash.NONE),
+ sourceArtifact = RemoteArtifact(
+ url = "https://some-host/first-package-sources.jar",
+ hash = Hash.create("0000000000000000000000000000000000000000")
+ ),
  vcs = VcsInfo(
  type = VcsType.GIT,
  revision = "master",
@@ -271,7 +277,7 @@ private val ortResult = OrtResult(
  provenance = ArtifactProvenance(
  sourceArtifact = RemoteArtifact(
  url = "https://some-host/first-package-sources.jar",
- hash = Hash.NONE
+ hash = Hash.create("0000000000000000000000000000000000000000")
  )
  ),
  scanner = ScannerDetails.EMPTY,

plugins/reporters/spdx/src/main/kotlin/Extensions.kt

@@ -17,8 +17,11 @@
  * License-Filename: LICENSE
  */
 
+@file:Suppress("TooManyFunctions")
+
 package org.ossreviewtoolkit.plugins.reporters.spdx
 
+import org.ossreviewtoolkit.model.Hash
 import org.ossreviewtoolkit.model.Identifier
 import org.ossreviewtoolkit.model.Package
 import org.ossreviewtoolkit.model.ScanResult
@@ -33,6 +36,7 @@ import org.ossreviewtoolkit.utils.spdx.SpdxConstants
 import org.ossreviewtoolkit.utils.spdx.SpdxExpression
 import org.ossreviewtoolkit.utils.spdx.SpdxLicense
 import org.ossreviewtoolkit.utils.spdx.SpdxLicenseException
+import org.ossreviewtoolkit.utils.spdx.model.SpdxChecksum
 import org.ossreviewtoolkit.utils.spdx.model.SpdxDocument
 import org.ossreviewtoolkit.utils.spdx.model.SpdxExternalReference
 import org.ossreviewtoolkit.utils.spdx.model.SpdxExtractedLicenseInfo
@@ -41,6 +45,17 @@ import org.ossreviewtoolkit.utils.spdx.model.SpdxPackageVerificationCode
 import org.ossreviewtoolkit.utils.spdx.toSpdx
 import org.ossreviewtoolkit.utils.spdx.toSpdxId
 
+/**
+ * Convert an ORT [Hash] to an [SpdxChecksum], or return null if a conversion is not possible.
+ */
+private fun Hash.toSpdxChecksum() =
+ SpdxChecksum.Algorithm.values().find { it.name in algorithm.aliases }?.let {
+ SpdxChecksum(
+ algorithm = it,
+ checksumValue = value
+ )
+ }
+
 /**
  * Convert an [Identifier]'s coordinates to an SPDX reference ID with the specified [infix].
  */
@@ -91,6 +106,7 @@ private fun Package.toSpdxExternalReferences(): List<SpdxExternalReference> {
 internal fun Package.toSpdxPackage(licenseInfoResolver: LicenseInfoResolver, isProject: Boolean = false) =
  SpdxPackage(
  spdxId = id.toSpdxId(if (isProject) "Project" else "Package"),
+ checksums = listOfNotNull(binaryArtifact.hash.toSpdxChecksum()),
  copyrightText = licenseInfoResolver.getSpdxCopyrightText(id),
  downloadLocation = binaryArtifact.url.nullOrBlankToSpdxNone(),
  externalRefs = if (isProject) emptyList() else toSpdxExternalReferences(),