feat: add support for configurable hash algorithms in SBOM generation

Signed-off-by: Cuong Tran <cuong.tran@gmail.com>

Author: ctran

README.md

@@ -184,6 +184,7 @@ tasks.cyclonedxBom {
 | `schemaVersion`                  | `SchemaVersion`           | `VERSION_16`              | CycloneDX schema version to use                                                    |
 | `includeBomSerialNumber`         | `boolean`                 | `true`                    | Include unique BOM serial number                                                   |
 | `includeLicenseText`             | `boolean`                 | `false`                   | Include full license text in components                                            |
+| `hashAlgorithms`                 | `List<String>`            | `[]` (all algorithms)     | Hash algorithms to include in components. Supported values: "MD5", "SHA-1", "SHA-256", "SHA-512", "SHA3-256", "SHA3-512". Leave empty for schema defaults |
 | `includeMetadataResolution`      | `boolean`                 | `true`                    | Include complete metadata resolution for components                                |
 | `includeBuildEnvironment`        | `boolean`                 | `false`                   | Include build environment dependencies (e.g. from buildscript)                     |
 | `includeBuildSystem`             | `boolean`                 | `true`                    | Include build system URL from CI environment                                       |
@@ -289,6 +290,25 @@ tasks.cyclonedxDirectBom {
 }
 ```
 
+#### Hash Algorithm Filtering
+
+To reduce SBOM file size and generation time, you can limit the hash algorithms included in the SBOM:
+
+```kotlin
+tasks.cyclonedxDirectBom {
+    // Include only SHA-256
+    hashAlgorithms = listOf("SHA-256")
+}
+
+// Or include multiple algorithms
+tasks.cyclonedxDirectBom {
+    // Include both SHA-256 and SHA-512 for additional verification
+    hashAlgorithms = listOf("SHA-256", "SHA-512")
+}
+```
+
+By default (when `hashAlgorithms` is empty), all hash algorithms supported by the selected CycloneDX schema version are included.
+
 #### Excluding Projects from Aggregation
 
 To exclude a specific project from SBOM generation (both direct and aggregate tasks), disable the task:

build.gradle.kts

@@ -26,7 +26,7 @@ repositories {
 }
 
 dependencies {
-    api("org.cyclonedx:cyclonedx-core-java:11.0.1") {
+    api("org.cyclonedx:cyclonedx-core-java:12.1.0") {
         exclude(group = "org.apache.logging.log4j", module = "log4j-slf4j-impl")
     }
     api("org.jspecify:jspecify:1.0.0")

src/main/java/org/cyclonedx/gradle/BaseCyclonedxTask.java

@@ -186,6 +186,18 @@ public abstract class BaseCyclonedxTask extends DefaultTask {
     @Input
     public abstract Property<Boolean> getIncludeLicenseText();
 
+    /**
+     * The hash algorithms to include in the SBOM components.
+     * Supported values depend on the CycloneDX schema version.
+     * Common values: "MD5", "SHA-1", "SHA-256", "SHA-512", "SHA3-256", "SHA3-512".
+     * If not set, all algorithms supported by the schema version are included.
+     *
+     * @return the list of hash algorithms to include
+     */
+    @Input
+    @Optional
+    public abstract ListProperty<String> getHashAlgorithms();
+
     public BaseCyclonedxTask() {
         super();
         getComponentGroup().convention(getProject().getProviders().provider(() -> getProject()
@@ -204,5 +216,6 @@ public BaseCyclonedxTask() {
         getOrganizationalEntity().convention(getProject().getObjects().property(OrganizationalEntity.class));
         getLicenseChoice().convention(getProject().getObjects().property(LicenseChoice.class));
         getExternalReferences().convention(getProject().getObjects().listProperty(ExternalReference.class));
+        getHashAlgorithms().convention(getProject().getObjects().listProperty(String.class));
     }
 }

src/main/java/org/cyclonedx/gradle/CyclonedxDirectTask.java

@@ -235,6 +235,7 @@ private void logParameters() {
             LOGGER.info("componentName             : {}", getComponentName().get());
             LOGGER.info("componentVersion          : {}", getComponentVersion().get());
             LOGGER.info("projectType               : {}", getProjectType().get());
+            LOGGER.info("hashAlgorithms            : {}", getHashAlgorithms().get());
             LOGGER.info("------------------------------------------------------------------------");
         }
     }

src/main/java/org/cyclonedx/gradle/SbomBuilder.java

@@ -33,6 +33,7 @@
 import java.util.Set;
 import java.util.TreeSet;
 import java.util.UUID;
+import java.util.stream.Collectors;
 import org.cyclonedx.Version;
 import org.cyclonedx.gradle.model.ComponentComparator;
 import org.cyclonedx.gradle.model.DependencyComparator;
@@ -292,6 +293,13 @@ private Property buildIsTestProperty(final SbomComponent component) {
     private List<Hash> calculateHashes(final File artifactFile) {
         return artifactHashes.computeIfAbsent(artifactFile, f -> {
             try {
+                List<String> configuredAlgorithms = task.getHashAlgorithms().get();
+                if (!configuredAlgorithms.isEmpty()) {
+                    List<Hash.Algorithm> algorithms = configuredAlgorithms.stream()
+                            .map(Hash.Algorithm::fromSpec)
+                            .collect(Collectors.toList());
+                    return BomUtils.calculateHashes(f, version, algorithms);
+                }
                 return BomUtils.calculateHashes(f, version);
             } catch (IOException e) {
                 LOGGER.error("{} Error encountered calculating hashes", LOG_PREFIX, e);

src/test/groovy/org/cyclonedx/gradle/DependencyResolutionSpec.groovy

@@ -145,6 +145,92 @@ class DependencyResolutionSpec extends Specification {
         javaVersion = JavaVersion.current()
     }
 
+    def "should filter hashes by configured algorithms"() {
+        given:
+        String localRepoUri = TestUtils.duplicateRepo("local")
+
+        File testDir = TestUtils.createFromString("""
+            plugins {
+                id 'org.cyclonedx.bom'
+                id 'java'
+            }
+            repositories {
+                maven{
+                    url '$localRepoUri'
+                }
+            }
+            group = 'com.example'
+            version = '1.0.0'
+
+            dependencies {
+                implementation("com.test:componenta:1.0.0")
+            }
+
+            tasks.named("cyclonedxDirectBom") {
+                hashAlgorithms = ['SHA-256', 'SHA-512']
+            }""", "rootProject.name = 'simple-project'")
+
+        when:
+        def result = GradleRunner.create()
+            .withProjectDir(testDir)
+            .withArguments(TestUtils.arguments("cyclonedxBom"))
+            .withPluginClasspath()
+            .build()
+
+        then:
+        result.task(":cyclonedxBom").outcome == TaskOutcome.SUCCESS
+        File jsonBom = new File(testDir, "build/reports/cyclonedx/bom.json")
+        Bom bom = new ObjectMapper().readValue(jsonBom, Bom.class)
+        Component componenta = bom.getComponents().find(c -> c.name == 'componenta')
+        assert componenta.hashes != null
+        assert componenta.hashes*.algorithm.sort() == ["SHA-256", "SHA-512"].sort()
+
+        where:
+        javaVersion = JavaVersion.current()
+    }
+
+    def "should return all hash algorithms when none are configured"() {
+        given:
+        String localRepoUri = TestUtils.duplicateRepo("local")
+
+        File testDir = TestUtils.createFromString("""
+            plugins {
+                id 'org.cyclonedx.bom'
+                id 'java'
+            }
+            repositories {
+                maven{
+                    url '$localRepoUri'
+                }
+            }
+            group = 'com.example'
+            version = '1.0.0'
+
+            dependencies {
+                implementation("com.test:componenta:1.0.0")
+            }""", "rootProject.name = 'simple-project'")
+
+        when:
+        def result = GradleRunner.create()
+            .withProjectDir(testDir)
+            .withArguments(TestUtils.arguments("cyclonedxBom"))
+            .withPluginClasspath()
+            .build()
+
+        then:
+        result.task(":cyclonedxBom").outcome == TaskOutcome.SUCCESS
+        File jsonBom = new File(testDir, "build/reports/cyclonedx/bom.json")
+        Bom bom = new ObjectMapper().readValue(jsonBom, Bom.class)
+        Component componenta = bom.getComponents().find(c -> c.name == 'componenta')
+        assert componenta.hashes != null
+        // https://github.com/CycloneDX/cyclonedx-core-java/blob/master/src/main/java/org/cyclonedx/util/BomUtils.java#L59-L70
+        assert componenta.hashes*.algorithm.sort() == 
+            ["MD5", "SHA-1", "SHA-256", "SHA-384", "SHA-512", "SHA3-256", "SHA3-384", "SHA3-512"].sort()
+
+        where:
+        javaVersion = JavaVersion.current()
+    }
+
     def "should generate bom for non-jar artifacts"() {
         given:
         String localRepoUri = TestUtils.duplicateRepo("local")