Dealing with changed hashes when building open-source packages in-house
My plan is to start building the open-source packages from their sources and use organization's security resources like SAST tools to detect security issues in them.
The good thing that I see coming out of this effort is better security, especially with some of the lesser known, smaller open-source projects that are not built with security in mind. The organization can then create pull-requests to fix the discovered issues as a giveback to the open-source community.
However, I'm afraid that the hashes of the generated artifacts will change and automated tools like Whitesource used to detect known vulnerabilities and licenses for opensource packages might stop working.
Has anyone faced such an issue? Is there a middle ground where we can have the perks of both the strategies?
