packageVerificationCode method

String packageVerificationCode()

Get the package verification code. This is generated from the SHA1 digests of a combination of all the dart files in the package with that of the pubspec.yaml file. The algorithm used is from section 3.9.4 of the SPDX 2.2 specification. Returns empty if the code cannot be generated.

Implementation

String packageVerificationCode() {
  // Get the Dart files SHA1 digests
  final dartFiles = packageDartFiles();
  final packageFileDigests = <Digest>[];
  for (final file in dartFiles) {
    final digest = _sha1Digest(file);
    if (digest != null) {
      packageFileDigests.add(digest);
    }
  }
  // Get the pubspec.yaml digest
  final pubspecPath = path.join(_topLevelPath, SbomConstants.sbomPubspecFile);
  final digest = _sha1Digest(pubspecPath);
  if (digest != null) {
    packageFileDigests.add(digest);
  }
  // Update the file digests
  _digests.addAll(packageFileDigests);

  // Sort the digests ascending
  packageFileDigests.sort((a, b) => a.toString().compareTo(b.toString()));

  return combinedDigest(packageFileDigests);
}

packageVerificationCode method

Implementation

SbomFileSupport class