feat: add make sbom target#536
Conversation
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Note
Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.
Adds build-system support for generating and installing SBOM artifacts (CycloneDX + SPDX) via new make targets, integrating wolfSSL’s gen-sbom script and SPDX validation tooling.
Changes:
- Split libtool version-info into separately substituted components for reuse in make rules.
- Add
sbom,install-sbom, anduninstall-sbomtargets to generate/validate and install SBOM outputs. - Detect
python3andpyspdxtoolsat configure-time for use by the SBOM targets.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| configure.ac | Exposes library version components and discovers SBOM tool dependencies (python3, pyspdxtools) for make targets. |
| Makefile.am | Implements SBOM generation/validation and install/uninstall targets; wires output files into CLEANFILES. |
aidangarske
left a comment
There was a problem hiding this comment.
Skoll Multi-Scan Review
Modes: review + review-security + bugsOverall recommendation: REQUEST_CHANGES
Findings: 7 total — 7 posted, 0 skipped
7 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [High] [review+review-security+bugs] Autotools sbom target reconstructs the libtool library filename incorrectly; breaks on next version-info bump and on macOS/static builds —
Makefile.am:181 - [High] [review+review-security+bugs] CMake sbom target hard-codes Unix shared-library layout; fails on Windows, static, and multi-config builds —
CMakeLists.txt:860-884 - [Medium] [bugs] CMake sbom target uses cmake -E rm, unavailable on the declared minimum CMake 3.16 —
CMakeLists.txt:874,891 - [Medium] [review] New SBOM targets have no automated coverage —
Makefile.am:144-188 - [Low] [review] install-sbom mixes absolute and relative artifact paths; only works when run from the build dir —
Makefile.am:184-194 - [Low] [review+review-security] CMake return() used at directory scope to skip the SBOM block; fragile if code is appended —
CMakeLists.txt:844-853 - [Low] [review-security] CMake version.h regex uses [ \t] which does not match a tab in CMake's regex dialect —
CMakeLists.txt:803-806
Review generated by Skoll
Autotools: replace the inline make sbom recipe with the shared
scripts/sbom.am fragment (declare wolftpm identity, LICENSE, wolfSSL
dependency, and wolftpm/options.h as the feature-macro source). Add GIT
discovery + AC_SUBST for reproducible SOURCE_DATE_EPOCH, and revert the
WOLFTPM_LIBRARY_VERSION_{FIRST,SECOND,THIRD} split that only fed the old
hardcoded --lib path (the fragment discovers the artifact by glob).
CMake: pin the SBOM licence to GPL-3.0-or-later (header-accurate; matches
autotools SBOM_LICENSE_OVERRIDE) and record wolfSSL as a dependency via
--dep-wolfssl, capability-gated on gen-sbom --help so older gen-sbom
versions still produce a valid (dependency-less) SBOM.
Pin the license default to GPL-3.0-or-later to match the source headers
("or (at your option) any later version"), fixing the SBOM licence field.
Add a CI workflow that builds wolfSSL + wolfTPM and asserts SBOM identity,
licence, options capture, reproducibility, and the wolfSSL dependency.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
dgarske
left a comment
There was a problem hiding this comment.
Please apply this patch (I can't figure out a way to push to your repo):
From 89eae19fb3fe4079fbb73b5d504969433ad024b5 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 10 Jul 2026 13:49:25 -0700
Subject: [PATCH] SBOM: fix cmake artifact discovery, cmake 3.16 compat, and
tab regex
---
CMakeLists.txt | 26 ++++++++++++++++----------
1 file changed, 16 insertions(+), 10 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a6a04b86..2a144813 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -809,9 +809,9 @@ if(BUILD_WOLFTPM_LIB)
# this file drifts out of sync with the header.
file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/wolftpm/version.h"
_sbom_version_line
- REGEX "^#define[ \t]+LIBWOLFTPM_VERSION_STRING[ \t]+\"")
+ REGEX "^#define[ ]+LIBWOLFTPM_VERSION_STRING[ ]+\"")
string(REGEX REPLACE
- "^#define[ \t]+LIBWOLFTPM_VERSION_STRING[ \t]+\"([^\"]+)\".*" "\\1"
+ "^#define[ ]+LIBWOLFTPM_VERSION_STRING[ ]+\"([^\"]+)\".*" "\\1"
SBOM_VERSION "${_sbom_version_line}")
if(NOT SBOM_VERSION)
message(FATAL_ERROR
@@ -866,11 +866,17 @@ if(BUILD_WOLFTPM_LIB)
set(SBOM_SPDX_TV "${CMAKE_BINARY_DIR}/wolftpm-${SBOM_VERSION}.spdx")
set(SBOM_STAGING "${CMAKE_BINARY_DIR}/_sbom_staging")
- # Staged install path. install(TARGETS wolftpm) above hardcodes
- # `LIBRARY DESTINATION lib`, so the .so always lands in lib/, never lib64/.
- # ${CMAKE_SHARED_LIBRARY_SUFFIX} resolves to .so on Linux / .dylib on mac.
- set(SBOM_LIB
- "${SBOM_STAGING}/lib/libwolftpm${CMAKE_SHARED_LIBRARY_SUFFIX}")
+ # Staged install path. Derive the installed artifact name from the target
+ # itself so it tracks the real output - a versioned .so/.dylib, a static
+ # .a/.lib, or the Windows DLL - instead of a hardcoded
+ # libwolftpm${CMAKE_SHARED_LIBRARY_SUFFIX} that only matches a Unix shared
+ # build. install(TARGETS) sends the Windows DLL (RUNTIME) to bin/ and
+ # everything else (LIBRARY/ARCHIVE) to lib/.
+ if(WIN32 AND BUILD_SHARED_LIBS)
+ set(SBOM_LIB "${SBOM_STAGING}/bin/$<TARGET_FILE_NAME:wolftpm>")
+ else()
+ set(SBOM_LIB "${SBOM_STAGING}/lib/$<TARGET_FILE_NAME:wolftpm>")
+ endif()
# wolfTPM links wolfSSL/wolfCrypt, so record wolfSSL as a dependency in the
# SBOM (matches the autotools SBOM_DEP_WOLFSSL=yes). Recording it needs the
@@ -899,9 +905,9 @@ if(BUILD_WOLFTPM_LIB)
VERBATIM
# Stage a clean install so gen-sbom inspects the same artifact layout
# the user would actually ship.
- COMMAND ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING}
+ COMMAND ${CMAKE_COMMAND} -E remove_directory ${SBOM_STAGING}
COMMAND ${CMAKE_COMMAND} --install ${CMAKE_BINARY_DIR}
- --prefix ${SBOM_STAGING}
+ --prefix ${SBOM_STAGING} --config $<CONFIG>
COMMAND ${PYTHON3_CMD} ${WOLFSSL_DIR}/scripts/gen-sbom
--name wolftpm
--version ${SBOM_VERSION}
@@ -918,7 +924,7 @@ if(BUILD_WOLFTPM_LIB)
# the target.
COMMAND ${PYSPDXTOOLS_CMD} --infile ${SBOM_SPDX}
--outfile ${SBOM_SPDX_TV}
- COMMAND ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING}
+ COMMAND ${CMAKE_COMMAND} -E remove_directory ${SBOM_STAGING}
COMMENT "Generating SBOM for wolfTPM ${SBOM_VERSION}")
# gen-sbom reads the staged library, so the library must build first.
--
2.50.1 (Apple Git-155)|
@dgarske Applied verbatim as 7f7aebe (kept your authorship via git am). Verified end-to-end against a cmake-built wolfssl 5.9.2: configure extracts 4.0.0 through the tab-class regex, the staged install resolves the artifact via $<TARGET_FILE_NAME:wolftpm>, and the sbom target generates all three files (cdx.json, spdx.json, spdx tag-value) with remove_directory doing the staging cleanup. I don't have a cmake 3.16 on hand, so that compat claim rides on your testing. |
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingcc -dM -Efor the options snapshotgen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
Outputs:
wolftpm-<version>.cdx.json,wolftpm-<version>.spdx.json,wolftpm-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolftpm-*.spdx.jsonpasses validationCMake
sbomtargetThe cmake build now has an equivalent
sbomcustom target, so SBOM generation works the same way whether you build with autotools or cmake.cmake -B build -DWOLFSSL_DIR=/path/to/wolfssl/source . cmake --build build cmake --build build --target sbomOutputs land in the build directory:
wolftpm-<version>.cdx.json,wolftpm-<version>.spdx.json,wolftpm-<version>.spdx.Notes:
wolftpm/version.h(LIBWOLFTPM_VERSION_STRING), not from the cmakeproject()call, so the cmake and autotools SBOMs stay bit-identical in the version field even if the two drift.wolftpm/options.h(the real compile-time option set) rather than a rawcc -dMdump, which would only capture compiler builtins. This keeps the cmake SBOM consistent with what autotools produces via--options-h.WOLFSSL_DIRandpython3/pyspdxtoolsare validated at configure time. A missing prerequisite does not break a normalcmake --build; thesbomtarget simply fails with a clear message when invoked. A wrong-DWOLFSSL_DIR=(explicit opt-in with a bad path) hard-errors at configure time.-DCMAKE_INSTALL_LIBDIR=libif needed; the staged library is read fromlib/.