feat(sbom): add checksum (#5347)

Use path to compute a checksum for the package. It is useful to identify
if a package has changed or not.

Signed-off-by: Fabrice Fontaine <[email protected]>

Author: ffontaine

cve_bin_tool/sbom_manager/generate.py

@@ -1,6 +1,7 @@
 # Copyright (C) 2024 Intel Corporation
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+import hashlib
 from logging import Logger
 from pathlib import Path
 from typing import Optional
@@ -113,6 +114,10 @@ def generate_sbom(self) -> None:
                     product_data
                 ].get("paths"):
                     for path in self.all_cve_data[product_data]["paths"]:
+                        with open(path.split()[0], "rb") as f:
+                            file_data = f.read()
+                        sha256_hash = hashlib.sha256(file_data)
+                        my_package.set_checksum("SHA256", sha256_hash.hexdigest())
                         if self.strip_scan_dir:
                             evidence = strip_path(path, self.sbom_root)
                         else: