feat: add make sbom target#1050
Conversation
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Adds SBOM generation and install/uninstall targets to the autotools build, intended to produce CycloneDX + SPDX outputs and validate SPDX on the build host.
Changes:
- Add
make sbom,make install-sbom, andmake uninstall-sbomtargets plus related variables/cleanup inMakefile.am. - Extend
configure.acto discoverpython3/pyspdxtoolsand to break out libtool version-info components into separate substituted variables.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| Makefile.am | Adds SBOM generation/validation targets and output staging/cleanup rules. |
| configure.ac | Adds tool discovery for SBOM prerequisites and refactors libtool version-info variables. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @if test -z "$(PYTHON3)"; then \ | ||
| echo ""; \ | ||
| echo "ERROR: 'python3' not found in PATH. Cannot generate SBOM."; \ | ||
| echo ""; \ | ||
| exit 1; \ | ||
| fi |
| @if test -z "$(PYSPDXTOOLS)"; then \ | ||
| echo ""; \ | ||
| echo "ERROR: 'pyspdxtools' not found in PATH. Cannot validate SBOM."; \ | ||
| echo " Install: pip install spdx-tools"; \ | ||
| echo ""; \ | ||
| exit 1; \ | ||
| fi |
| $(CC) -dM -E -I$(srcdir) $(CPPFLAGS) -x c /dev/null \ | ||
| > $(abs_builddir)/_sbom_defines.h |
| # The three numbers in the libwolfssh.so.*.*.* file name. | ||
|
|
- Include AM_CPPFLAGS and config.h in the options snapshot so the configured feature set (WOLFSSH_SCP/SFTP/NO_WOLFSSH_SERVER/...) appears in the SBOM instead of being empty. - Discover static (.a), Mach-O (.dylib) and Windows (.dll/.lib) artifacts, not just a versioned .so. - Set SOURCE_DATE_EPOCH from the last git commit for reproducible output. - Clean staging tree and temp defines file via trap even on failure. - Record wolfssl as an SBOM dependency (--dep-wolfssl), version auto-detected from WOLFSSL_DIR/wolfssl/version.h. - configure.ac: detect git; drop unused version-info split + comment. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
There was a problem hiding this comment.
Tested make sbom end-to-end on macOS (--enable-all, gen-sbom from wolfssl feat/sbom-embedded, spdx-tools + pcpp installed): exits 0, all three outputs produced, the Mach-O .dylib discovery branch fires, the trap cleans up the staging tree and temp defines file, the configured feature macros (WOLFSSH_SFTP/SCP/CERTS/AGENT/SSHD, NO_INLINE, NDEBUG) now appear in the SBOM, and pyspdxtools re-validation passes clean. Two follow-ups below, none blocking.
| --name wolfssh \ | ||
| --version $(PACKAGE_VERSION) \ | ||
| --supplier "wolfSSL Inc." \ | ||
| --license-file $(srcdir)/LICENSING \ |
There was a problem hiding this comment.
gen-sbom emits NOASSERTION for the license even though LICENSING clearly states GPLv3. Root cause is in gen-sbom's detect_license: its regex only matches the long form gnu general public license version N, but wolfSSH's LICENSING uses the abbreviation GPLv3, so detection fails and falls back to NOASSERTION.
| if test -n "$$sde"; then SOURCE_DATE_EPOCH="$$sde"; export SOURCE_DATE_EPOCH; fi; \ | ||
| fi; \ | ||
| dep_args=""; \ | ||
| if $(PYTHON3) $(WOLFSSL_DIR)/scripts/gen-sbom --help 2>/dev/null \ |
There was a problem hiding this comment.
--dep-wolfssl doesn't exist yet in the gen-sbom script. Maybe a better description of what to do since there is no wolfSSL tree whose scripts/gen-sbom supports the opotion.
Default SBOM_LICENSE_OVERRIDE to GPL-3.0-only so the SBOM records the correct license instead of NOASSERTION, and point the --dep-wolfssl note at wolfSSL/wolfssl#10343. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Move the make sbom / install-sbom / uninstall-sbom recipe out of Makefile.am into a reusable scripts/sbom.am fragment; Makefile.am now just declares the product facts (name, LICENSING, wolfssl dependency, GPL-3.0-only default) and includes it. Add a GitHub Actions workflow covering both SBOM paths: - autotools: build wolfSSL + wolfSSH, run make sbom, assert SPDX validity, CycloneDX identity, reproducibility, and the wolfssl dependency edge. - embedded: run gen-sbom against user_settings.h (via pcpp) + the wolfSSH source set, asserting the same identity/validity/reproducibility plus that user_settings.h options and the wolfssl dependency are captured. Both gracefully skip on a gen-sbom that predates the wolfSSL SBOM change. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingcc -dM -Efor the options snapshotgen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```
Outputs:
wolfssh-<version>.cdx.json,wolfssh-<version>.spdx.json,wolfssh-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolfssh-*.spdx.jsonpasses validation