Sort arrays in SBOM JSON data for reproducibility

sethmlarson · web-flow · commit e2c2bb11d372 · 2024-02-09T08:58:08.000-06:00
diff --git a/sbom.py b/sbom.py
@@ -109,6 +109,29 @@ def get_release_tools_commit_sha() -> str:
     return stdout
 
 
+def normalize_sbom_data(sbom_data):
+    """
+    Normalize SBOM data in-place by recursion
+    and sorting lists by some repeatable key.
+    """
+    def recursive_sort_in_place(value):
+        if isinstance(value, list):
+            # We need to recurse first so bottom-most elements are sorted first.
+            for item in value:
+                recursive_sort_in_place(item)
+
+            # Otherwise this key might change depending on the unsorted order of items.
+            value.sort(key=lambda item: json.dumps(item, sort_keys=True))
+
+        # Dictionaries are the only other containers and keys
+        # are already handled by json.dumps(sort_keys=True).
+        elif isinstance(value, dict):
+            for dict_val in value.values():
+                recursive_sort_in_place(dict_val)
+
+    recursive_sort_in_place(sbom_data)
+
+
 def create_sbom_for_source_tarball(tarball_path: str):
     """Stitches together an SBOM for a source tarball"""
     tarball_name = os.path.basename(tarball_path)
@@ -294,6 +317,9 @@ def create_sbom_for_source_tarball(tarball_path: str):
     # Calculate the 'packageVerificationCode' values for files in packages.
     calculate_package_verification_codes(sbom)
 
+    # Normalize SBOM structures for reproducibility.
+    normalize_sbom_data(sbom)
+
     return sbom
 
 
diff --git a/tests/test_sbom.py b/tests/test_sbom.py
@@ -42,3 +42,19 @@ def test_calculate_package_verification_code(package_sha1s, package_verification
     assert input_sbom["packages"][0]["packageVerificationCode"] == {
         "packageVerificationCodeValue": package_verification_code
     }
+
+
+def test_normalization():
+    # Test that arbitrary JSON data can be normalized.
+    # Normalization doesn't have to make too much sense,
+    # only needs to be reproducible.
+    data = {
+        "a": [1, 2, 3, {"b": [4, "c", [7, True, "2", {}]]}],
+        # This line tests that inner structures are sorted first.
+        "b": [[1, 2, "b"], [2, 1, "a"]]
+    }
+    sbom.normalize_sbom_data(data)
+    assert data == {
+        "a": [1, 2, 3, {"b": ["c", 4, ["2", 7, True, {}]]}],
+        "b": [["a", 1, 2], ["b", 1, 2]]
+    }
