fix: scrub hex-encoded hashes in E2E snapshot tests and update snapshots for spec 1.7

construct agent · construct agent · commit 5afb819e5db3 · 2026-03-01T16:41:26.000Z
The hash scrubbing regex targeted base64 but CycloneDX emits hashes as
uppercase hex. SHA-512 is 128 hex chars; the old pattern matched only
the base64-looking prefix and left a hex tail in every snapshot.

Replace with word-boundary hex regexes for all standard hash lengths
(128/64/40/32). Also update snapshots to reflect the BOM namespace
change from 1.6 to 1.7 introduced by CycloneDX.Core 11.0.0.
diff --git a/CycloneDX.E2ETests/Infrastructure/VerifyConfig.cs b/CycloneDX.E2ETests/Infrastructure/VerifyConfig.cs
@@ -70,10 +70,24 @@ public static void Initialize()
                     @"(<version>)\d+\.\d+\.\d+(?:\.\d+)?(?:-[^<]+)?(</version>)",
                     "$1{scrubbed-version}$2");
 
-                // SHA-512 hashes (base64, ~88 chars ending in ==)
+                // Hex-encoded hash values as emitted by CycloneDX in <hash> elements.
+                // SHA-512 = 128 hex chars, SHA-256 = 64, SHA-1 = 40, MD5 = 32.
+                // Match uppercase or lowercase hex strings of those lengths (longest first).
                 line = Regex.Replace(
                     line,
-                    @"(?:[A-Za-z0-9+/]{86,88}={0,2})",
+                    @"\b[0-9A-Fa-f]{128}\b",
+                    "{scrubbed-hash}");
+                line = Regex.Replace(
+                    line,
+                    @"\b[0-9A-Fa-f]{64}\b",
+                    "{scrubbed-hash}");
+                line = Regex.Replace(
+                    line,
+                    @"\b[0-9A-Fa-f]{40}\b",
+                    "{scrubbed-hash}");
+                line = Regex.Replace(
+                    line,
+                    @"\b[0-9A-Fa-f]{32}\b",
                     "{scrubbed-hash}");
 
                 return line;
diff --git a/CycloneDX.E2ETests/Snapshots/DevDependencyTests.DevDependency_ExcludedWithFlag.verified.txt b/CycloneDX.E2ETests/Snapshots/DevDependencyTests.DevDependency_ExcludedWithFlag.verified.txt
@@ -1,5 +1,5 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
   <metadata>
     <timestamp>{scrubbed-timestamp}</timestamp>
     <tools>
@@ -26,7 +26,7 @@
       <description>Test package TestPkg.A</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}531C6F999C3D7E54935AF23D43D1F34E34F13C64</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
diff --git a/CycloneDX.E2ETests/Snapshots/ProjectReferencesTests.ProjectReference_IncludedWithFlag.verified.txt b/CycloneDX.E2ETests/Snapshots/ProjectReferencesTests.ProjectReference_IncludedWithFlag.verified.txt
@@ -1,5 +1,5 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
   <metadata>
     <timestamp>{scrubbed-timestamp}</timestamp>
     <tools>
@@ -31,7 +31,7 @@
       <description>Test package TestPkg.A</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}531C6F999C3D7E54935AF23D43D1F34E34F13C64</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
@@ -51,7 +51,7 @@
       <description>Test package TestPkg.C</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}4404F2F30EF98F8B90397BAC9D0F93926F6F3D3B</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
diff --git a/CycloneDX.E2ETests/Snapshots/SimpleProjectTests.SinglePackage_ProducesValidBom.verified.txt b/CycloneDX.E2ETests/Snapshots/SimpleProjectTests.SinglePackage_ProducesValidBom.verified.txt
@@ -1,5 +1,5 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
   <metadata>
     <timestamp>{scrubbed-timestamp}</timestamp>
     <tools>
@@ -26,7 +26,7 @@
       <description>Test package TestPkg.A</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}531C6F999C3D7E54935AF23D43D1F34E34F13C64</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
diff --git a/CycloneDX.E2ETests/Snapshots/SimpleProjectTests.TransitiveDependency_AppearsInBom.verified.txt b/CycloneDX.E2ETests/Snapshots/SimpleProjectTests.TransitiveDependency_AppearsInBom.verified.txt
@@ -1,5 +1,5 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
   <metadata>
     <timestamp>{scrubbed-timestamp}</timestamp>
     <tools>
@@ -26,7 +26,7 @@
       <description>Test package TestPkg.A</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}531C6F999C3D7E54935AF23D43D1F34E34F13C64</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
@@ -46,7 +46,7 @@
       <description>Test package TestPkg.B</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}7AF7D3337A25066504E7B4C4523499392B7D5F7F</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
diff --git a/CycloneDX.E2ETests/Snapshots/SimpleProjectTests.TwoDirectPackages_BothAppearInBom.verified.txt b/CycloneDX.E2ETests/Snapshots/SimpleProjectTests.TwoDirectPackages_BothAppearInBom.verified.txt
@@ -1,5 +1,5 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
   <metadata>
     <timestamp>{scrubbed-timestamp}</timestamp>
     <tools>
@@ -26,7 +26,7 @@
       <description>Test package TestPkg.A</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}531C6F999C3D7E54935AF23D43D1F34E34F13C64</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
@@ -46,7 +46,7 @@
       <description>Test package TestPkg.C</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}4404F2F30EF98F8B90397BAC9D0F93926F6F3D3B</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
diff --git a/CycloneDX.E2ETests/Snapshots/SolutionScanTests.TwoProjects_BothPackagesInBom.verified.txt b/CycloneDX.E2ETests/Snapshots/SolutionScanTests.TwoProjects_BothPackagesInBom.verified.txt
@@ -1,5 +1,5 @@
 ﻿<?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:{scrubbed}" version="1" xmlns="http://cyclonedx.org/schema/bom/1.7">
   <metadata>
     <timestamp>{scrubbed-timestamp}</timestamp>
     <tools>
@@ -26,7 +26,7 @@
       <description>Test package TestPkg.A</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}531C6F999C3D7E54935AF23D43D1F34E34F13C64</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
@@ -46,7 +46,7 @@
       <description>Test package TestPkg.C</description>
       <scope>required</scope>
       <hashes>
-        <hash alg="SHA-512">{scrubbed-hash}4404F2F30EF98F8B90397BAC9D0F93926F6F3D3B</hash>
+        <hash alg="SHA-512">{scrubbed-hash}</hash>
       </hashes>
       <licenses>
         <license>
