fixup sha-1 of vendor libraries in OTP-28

kikofernandez · kikofernandez · commit 8cbe52da35df · 2025-09-09T14:49:53.000+02:00
diff --git a/HOWTO/SBOM.md b/HOWTO/SBOM.md
@@ -183,6 +183,7 @@ This file may be a list of JSON objects. For simplicity, we document the fields
     "licenseDeclared": "Zlib",
     "name": "asmjit",
     "versionInfo": "029075b84bf0161a761beb63e6eda519a29020db",
+    "sha": "029075b84bf0161a761beb63e6eda519a29020db",
     "path": "./erts/emulator/asmjit",
     "exclude": ["./erts/emulator/asmjit/vendor.info"],
     "supplier": "Person: Petr Kobalicek",
@@ -202,11 +203,15 @@ Fields summary:
         - If you are unsure about the name of the `SPDX-TOP-LEVEL-PACKAGE`, take a look at the source SBOM to identify packages (under key `packages` in the SBOM).
 - `description`: a brief description of what this vendor library does.
 - `copyrightText`: copyright text associated with the top-level package/library/3pp using [SPDX License Identifiers](https://spdx.org/licenses/).
-- `downloadLocation`: URI of the vendor library to download.
+- `downloadLocation`: URI of the vendor library to download. If using Github, use preferably `https//` rather than `git+https//` or similars.
+   This is because the download location is used for vulnerability scanning in `.github/scripts/otp-compliance.es`.
 - `homepage`: homepage of the vendor library.
 - `licenseDeclared`: license as declared by the vendor, following a [SPDX license identifier](https://spdx.org/licenses/).
 - `name`: name of the library.
 - `versionInfo`: version of the library/project/3pp. In case of no version number being available, write the commit sha.
+- `sha`: sha commit for `versionInfo`, they need to be updated together!
+- `ecosystem`: List of valid ecosystems in [OSV Ecosystems](https://ossf.github.io/osv-schema/#defined-ecosystems)
+  where this value is omitted for C/C++ code (e.g., `asmjit`, `pcre2`, `zlib`, `zstd`, etc), and used in `vendor.json` for `jquery`.
 - `path`: path to the vendor library inside Erlang/OTP. This can point to a folder or a list of files.
   - Folder: any file inside the folder is considered part of the vendor library (e.g., asmjit [vendor.info](../erts/emulator/asmjit/vendor.info)).
   - List of files: only the files listed here are part of a vendor library (e.g., erts-config [vendor.info](../erts/autoconf/vendor.info)).
@@ -225,8 +230,7 @@ and re-run the source SBOM generation steps ([Erlang/OTP source SBOM]).
 ### Add a New Vendor Dependency
 
 Follow the same steps as in [Update SPDX Vendor Packages].
-When running the SBOM generator, make sure to check that the new vendor dependency exists
-in its own package.
+When running the SBOM generator, make sure to check that the new vendor dependency exists in its own package.
 
 The [`renovate.json5`](../renovate.json5) file also needs to be updated
 to make sure that the new vendored dependency gets updated as it should.
diff --git a/erts/emulator/openssl/vendor.info b/erts/emulator/openssl/vendor.info
@@ -15,6 +15,7 @@
     "licenseDeclared": "Apache-2.0",
     "name": "openssl",
     "versionInfo": "3.5",
+    "sha": "636dfadc70ce26f2473870570bfd9ec352806b1d",
     "path": "./erts/emulator/openssl",
     "exclude": ["./erts/emulator/openssl/vendor.info",
                 "./erts/emulator/openssl/README",
diff --git a/erts/emulator/pcre/vendor.info b/erts/emulator/pcre/vendor.info
@@ -19,6 +19,7 @@
     "exclude": ["./erts/emulator/pcre/vendor.info",
                 "./erts/emulator/pcre/README.pcre_update.md",
                 "./erts/emulator/pcre/pcre.mk"],
+    "sha": "2dce7761b1831fd3f82a9c2bd5476259d945da4d",
     "supplier": "Person: Philip Hazel",
     "purl": "pkg:generic/pcre2"
   }
diff --git a/erts/emulator/ryu/vendor.info b/erts/emulator/ryu/vendor.info
@@ -22,8 +22,7 @@
              "./erts/emulator/ryu/digit_table.h",
              "./erts/emulator/ryu/ryu.h",
              "./erts/emulator/ryu/LICENSE-Apache2",
-             "./erts/emulator/ryu/LICENSE-Boost"
-            ],
+             "./erts/emulator/ryu/LICENSE-Boost"],
     "supplier": "Person: Ulf Adams",
     "purl": "pkg:github/ulfjack/ryu#ryu",
     "update": "./erts/emulator/ryu/update.sh",
diff --git a/erts/emulator/zlib/vendor.info b/erts/emulator/zlib/vendor.info
@@ -10,15 +10,16 @@
     "ID": "erts-zlib",
     "description": "interface of the 'zlib' general purpose compression library",
     "copyrightText": "Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler",
-    "downloadLocation": "https://zlib.net/",
+    "downloadLocation": "https://github.com/madler/zlib",
     "homepage": "https://zlib.net/",
     "licenseDeclared": "Zlib",
     "name": "zlib",
     "versionInfo": "1.3.1",
+    "sha": "1a8db63788c34a50e39e273d39b7e1033208aea2",
     "path": "./erts/emulator/zlib",
     "exclude": ["./erts/emulator/zlib/vendor.info",
                 "./erts/emulator/zlib/zlib.mk"],
     "supplier": "Person: Mark Adler (zlib@gzip.org)",
-    "purl": "pkg:generic/zlib"
+    "purl": "pkg:github/madler/zlib"
   }
 ]
diff --git a/erts/emulator/zstd/vendor.info b/erts/emulator/zstd/vendor.info
@@ -15,6 +15,7 @@
     "licenseDeclared": "BSD-3-Clause OR GPL-2.0-only",
     "name": "zstd",
     "versionInfo": "v1.5.7",
+    "sha": "f8745da6ff1ad1e7bab384bd1f9d742439278e99",
     "path": "./erts/emulator/zstd",
     "exclude": ["./erts/emulator/zstd/vendor.info",
                 "./erts/emulator/zstd/update.sh",
diff --git a/lib/common_test/priv/vendor.info b/lib/common_test/priv/vendor.info
@@ -13,6 +13,7 @@
       "downloadLocation": "https://github.com/jquery/jquery",
       "homepage": "https://jquery.com",
       "licenseDeclared": "MIT",
+      "ecosystem": "npm",
       "name": "jquery",
       "versionInfo": "3.7.1",
       "path": ["./lib/common_test/priv/jquery-latest.js"],
@@ -26,7 +27,8 @@
       "downloadLocation": "https://github.com/Mottie/tablesorter",
       "homepage": "https://github.com/Mottie/tablesorter",
       "licenseDeclared": "BSD-3-Clause OR GPL-2.0-only",
-      "name": "jquery-tablesorter",
+      "ecosystem": "npm",
+      "name": "tablesorter",
       "versionInfo": "2.32",
       "path": ["./lib/common_test/priv/jquery.tablesorter.min.js"],
       "supplier": "Person: Christian Bach",
diff --git a/lib/erl_interface/src/openssl/vendor.info b/lib/erl_interface/src/openssl/vendor.info
@@ -15,6 +15,7 @@
     "licenseDeclared": "Apache-2.0",
     "name": "openssl",
     "versionInfo": "3.5",
+    "sha": "636dfadc70ce26f2473870570bfd9ec352806b1d",
     "path": "./lib/erl_interface/src/openssl",
     "exclude": ["./lib/erl_interface/src/openssl/vendor.info",
                 "./lib/erl_interface/src/openssl/README",
diff --git a/lib/wx/vendor.info b/lib/wx/vendor.info
@@ -15,6 +15,7 @@
     "licenseDeclared": "LicenseRef-scancode-wxwindows-free-doc-3",
     "name": "wx",
     "versionInfo": "dc585039bbd426829e3433002023a93f9bedd0c2",
+    "sha": "dc585039bbd426829e3433002023a93f9bedd0c2",
     "path": "./lib/wx",
     "comments": "This only applies to the source code of Erlang files in 'src', and specifically to the documentation embedded in them",
     "supplier": "NOASSERTION",

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@`
`19`	`19`	`"exclude": ["./erts/emulator/pcre/vendor.info",`
`20`	`20`	`"./erts/emulator/pcre/README.pcre_update.md",`
`21`	`21`	`"./erts/emulator/pcre/pcre.mk"],`
	`22`	`+ "sha": "2dce7761b1831fd3f82a9c2bd5476259d945da4d",`
`22`	`23`	`"supplier": "Person: Philip Hazel",`
`23`	`24`	`"purl": "pkg:generic/pcre2"`
`24`	`25`	`}`