Skip to content

feat: add make sbom target#1050

Open
MarkAtwood wants to merge 5 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target
Open

feat: add make sbom target#1050
MarkAtwood wants to merge 5 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target

Conversation

@MarkAtwood

Copy link
Copy Markdown

Summary

Adds make sbom, make install-sbom, and make uninstall-sbom targets to the autotools build.

  • Stages a temporary install to extract the built .so for hashing
  • Dumps preprocessor defines via cc -dM -E for the options snapshot
  • Calls gen-sbom (from wolfssl scripts/gen-sbom) to produce CycloneDX and SPDX outputs
  • Validates SPDX with pyspdxtools

Usage

```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```

Outputs: wolfssh-<version>.cdx.json, wolfssh-<version>.spdx.json, wolfssh-<version>.spdx

Requirements

  • WOLFSSL_DIR must point to a wolfssl source tree containing scripts/gen-sbom (available on the feat/sbom-embedded branch of wolfssl)
  • python3 and pip install spdx-tools on the build host

Test plan

  • ./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...
  • Verify three output files are produced
  • pyspdxtools --infile wolfssh-*.spdx.json passes validation

Adds sbom, install-sbom, and uninstall-sbom targets.
Runs gen-sbom to produce CDX and SPDX outputs.
Requires WOLFSSL_DIR pointing to a wolfssl tree with
the feat/sbom-embedded branch (includes gen-sbom).

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds SBOM generation and install/uninstall targets to the autotools build, intended to produce CycloneDX + SPDX outputs and validate SPDX on the build host.

Changes:

  • Add make sbom, make install-sbom, and make uninstall-sbom targets plus related variables/cleanup in Makefile.am.
  • Extend configure.ac to discover python3 / pyspdxtools and to break out libtool version-info components into separate substituted variables.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
Makefile.am Adds SBOM generation/validation targets and output staging/cleanup rules.
configure.ac Adds tool discovery for SBOM prerequisites and refactors libtool version-info variables.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile.am Outdated
Comment on lines +92 to +97
@if test -z "$(PYTHON3)"; then \
echo ""; \
echo "ERROR: 'python3' not found in PATH. Cannot generate SBOM."; \
echo ""; \
exit 1; \
fi
Comment thread Makefile.am Outdated
Comment on lines +98 to +104
@if test -z "$(PYSPDXTOOLS)"; then \
echo ""; \
echo "ERROR: 'pyspdxtools' not found in PATH. Cannot validate SBOM."; \
echo " Install: pip install spdx-tools"; \
echo ""; \
exit 1; \
fi
Comment thread Makefile.am Outdated
Comment on lines +121 to +122
$(CC) -dM -E -I$(srcdir) $(CPPFLAGS) -x c /dev/null \
> $(abs_builddir)/_sbom_defines.h
Comment thread configure.ac Outdated
Comment on lines +21 to +22
# The three numbers in the libwolfssh.so.*.*.* file name.

- Include AM_CPPFLAGS and config.h in the options snapshot so the
  configured feature set (WOLFSSH_SCP/SFTP/NO_WOLFSSH_SERVER/...)
  appears in the SBOM instead of being empty.
- Discover static (.a), Mach-O (.dylib) and Windows (.dll/.lib)
  artifacts, not just a versioned .so.
- Set SOURCE_DATE_EPOCH from the last git commit for reproducible output.
- Clean staging tree and temp defines file via trap even on failure.
- Record wolfssl as an SBOM dependency (--dep-wolfssl), version
  auto-detected from WOLFSSL_DIR/wolfssl/version.h.
- configure.ac: detect git; drop unused version-info split + comment.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

@ejohnstown ejohnstown left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested make sbom end-to-end on macOS (--enable-all, gen-sbom from wolfssl feat/sbom-embedded, spdx-tools + pcpp installed): exits 0, all three outputs produced, the Mach-O .dylib discovery branch fires, the trap cleans up the staging tree and temp defines file, the configured feature macros (WOLFSSH_SFTP/SCP/CERTS/AGENT/SSHD, NO_INLINE, NDEBUG) now appear in the SBOM, and pyspdxtools re-validation passes clean. Two follow-ups below, none blocking.

Comment thread Makefile.am Outdated
--name wolfssh \
--version $(PACKAGE_VERSION) \
--supplier "wolfSSL Inc." \
--license-file $(srcdir)/LICENSING \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gen-sbom emits NOASSERTION for the license even though LICENSING clearly states GPLv3. Root cause is in gen-sbom's detect_license: its regex only matches the long form gnu general public license version N, but wolfSSH's LICENSING uses the abbreviation GPLv3, so detection fails and falls back to NOASSERTION.

Comment thread Makefile.am Outdated
if test -n "$$sde"; then SOURCE_DATE_EPOCH="$$sde"; export SOURCE_DATE_EPOCH; fi; \
fi; \
dep_args=""; \
if $(PYTHON3) $(WOLFSSL_DIR)/scripts/gen-sbom --help 2>/dev/null \

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--dep-wolfssl doesn't exist yet in the gen-sbom script. Maybe a better description of what to do since there is no wolfSSL tree whose scripts/gen-sbom supports the opotion.

sameehj added 2 commits July 8, 2026 15:07
Default SBOM_LICENSE_OVERRIDE to GPL-3.0-only so the SBOM records the
correct license instead of NOASSERTION, and point the --dep-wolfssl
note at wolfSSL/wolfssl#10343.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Move the make sbom / install-sbom / uninstall-sbom recipe out of
Makefile.am into a reusable scripts/sbom.am fragment; Makefile.am now
just declares the product facts (name, LICENSING, wolfssl dependency,
GPL-3.0-only default) and includes it.

Add a GitHub Actions workflow covering both SBOM paths:
- autotools: build wolfSSL + wolfSSH, run make sbom, assert SPDX
  validity, CycloneDX identity, reproducibility, and the wolfssl
  dependency edge.
- embedded: run gen-sbom against user_settings.h (via pcpp) + the
  wolfSSH source set, asserting the same identity/validity/reproducibility
  plus that user_settings.h options and the wolfssl dependency are
  captured.
Both gracefully skip on a gen-sbom that predates the wolfSSL SBOM
change.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
@ejohnstown ejohnstown self-requested a review July 8, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants