packageVerificationCode method
Get the package verification code. This is generated from the SHA1 digests of a combination of all the dart files in the package with that of the pubspec.yaml file. The algorithm used is from section 3.9.4 of the SPDX 2.2 specification. Returns empty if the code cannot be generated.
Implementation
String packageVerificationCode() {
// Get the Dart files SHA1 digests
final dartFiles = packageDartFiles();
final packageFileDigests = <Digest>[];
for (final file in dartFiles) {
final digest = _sha1Digest(file);
if (digest != null) {
packageFileDigests.add(digest);
}
}
// Get the pubspec.yaml digest
final pubspecPath = path.join(_topLevelPath, SbomConstants.sbomPubspecFile);
final digest = _sha1Digest(pubspecPath);
if (digest != null) {
packageFileDigests.add(digest);
}
// Update the file digests
_digests.addAll(packageFileDigests);
// Sort the digests ascending
packageFileDigests.sort((a, b) => a.toString().compareTo(b.toString()));
return combinedDigest(packageFileDigests);
}