Skip to content

feat: add make sbom target#536

Merged
dgarske merged 5 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target
Jul 10, 2026
Merged

feat: add make sbom target#536
dgarske merged 5 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds make sbom, make install-sbom, and make uninstall-sbom targets to the autotools build.

  • Stages a temporary install to extract the built .so for hashing
  • Dumps preprocessor defines via cc -dM -E for the options snapshot
  • Calls gen-sbom (from wolfssl scripts/gen-sbom) to produce CycloneDX and SPDX outputs
  • Validates SPDX with pyspdxtools

Usage

./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source

Outputs: wolftpm-<version>.cdx.json, wolftpm-<version>.spdx.json, wolftpm-<version>.spdx

Requirements

  • WOLFSSL_DIR must point to a wolfssl source tree containing scripts/gen-sbom (available on the feat/sbom-embedded branch of wolfssl)
  • python3 and pip install spdx-tools on the build host

Test plan

  • ./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...
  • Verify three output files are produced
  • pyspdxtools --infile wolftpm-*.spdx.json passes validation

CMake sbom target

The cmake build now has an equivalent sbom custom target, so SBOM generation works the same way whether you build with autotools or cmake.

cmake -B build -DWOLFSSL_DIR=/path/to/wolfssl/source .
cmake --build build
cmake --build build --target sbom

Outputs land in the build directory: wolftpm-<version>.cdx.json, wolftpm-<version>.spdx.json, wolftpm-<version>.spdx.

Notes:

  • Version is read directly from wolftpm/version.h (LIBWOLFTPM_VERSION_STRING), not from the cmake project() call, so the cmake and autotools SBOMs stay bit-identical in the version field even if the two drift.
  • The options fingerprint is taken from the generated wolftpm/options.h (the real compile-time option set) rather than a raw cc -dM dump, which would only capture compiler builtins. This keeps the cmake SBOM consistent with what autotools produces via --options-h.
  • WOLFSSL_DIR and python3/pyspdxtools are validated at configure time. A missing prerequisite does not break a normal cmake --build; the sbom target simply fails with a clear message when invoked. A wrong -DWOLFSSL_DIR= (explicit opt-in with a bad path) hard-errors at configure time.
  • On lib64 hosts, pass -DCMAKE_INSTALL_LIBDIR=lib if needed; the staged library is read from lib/.

Adds sbom, install-sbom, and uninstall-sbom targets.
Runs gen-sbom to produce CDX and SPDX outputs.
Requires WOLFSSL_DIR pointing to a wolfssl tree with
the feat/sbom-embedded branch (includes gen-sbom).
@MarkAtwood MarkAtwood requested review from Copilot and sameehj June 23, 2026 01:39

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds build-system support for generating and installing SBOM artifacts (CycloneDX + SPDX) via new make targets, integrating wolfSSL’s gen-sbom script and SPDX validation tooling.

Changes:

  • Split libtool version-info into separately substituted components for reuse in make rules.
  • Add sbom, install-sbom, and uninstall-sbom targets to generate/validate and install SBOM outputs.
  • Detect python3 and pyspdxtools at configure-time for use by the SBOM targets.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
configure.ac Exposes library version components and discovers SBOM tool dependencies (python3, pyspdxtools) for make targets.
Makefile.am Implements SBOM generation/validation and install/uninstall targets; wires output files into CLEANFILES.

Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Multi-Scan Review

Modes: review + review-security + bugsOverall recommendation: REQUEST_CHANGES
Findings: 7 total — 7 posted, 0 skipped
7 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [High] [review+review-security+bugs] Autotools sbom target reconstructs the libtool library filename incorrectly; breaks on next version-info bump and on macOS/static buildsMakefile.am:181
  • [High] [review+review-security+bugs] CMake sbom target hard-codes Unix shared-library layout; fails on Windows, static, and multi-config buildsCMakeLists.txt:860-884
  • [Medium] [bugs] CMake sbom target uses cmake -E rm, unavailable on the declared minimum CMake 3.16CMakeLists.txt:874,891
  • [Medium] [review] New SBOM targets have no automated coverageMakefile.am:144-188
  • [Low] [review] install-sbom mixes absolute and relative artifact paths; only works when run from the build dirMakefile.am:184-194
  • [Low] [review+review-security] CMake return() used at directory scope to skip the SBOM block; fragile if code is appendedCMakeLists.txt:844-853
  • [Low] [review-security] CMake version.h regex uses [ \t] which does not match a tab in CMake's regex dialectCMakeLists.txt:803-806

Review generated by Skoll

Comment thread Makefile.am Outdated
Comment thread CMakeLists.txt Outdated
Comment thread CMakeLists.txt Outdated
Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
Comment thread CMakeLists.txt
Comment thread CMakeLists.txt Outdated
Autotools: replace the inline make sbom recipe with the shared
scripts/sbom.am fragment (declare wolftpm identity, LICENSE, wolfSSL
dependency, and wolftpm/options.h as the feature-macro source). Add GIT
discovery + AC_SUBST for reproducible SOURCE_DATE_EPOCH, and revert the
WOLFTPM_LIBRARY_VERSION_{FIRST,SECOND,THIRD} split that only fed the old
hardcoded --lib path (the fragment discovers the artifact by glob).

CMake: pin the SBOM licence to GPL-3.0-or-later (header-accurate; matches
autotools SBOM_LICENSE_OVERRIDE) and record wolfSSL as a dependency via
--dep-wolfssl, capability-gated on gen-sbom --help so older gen-sbom
versions still produce a valid (dependency-less) SBOM.

Pin the license default to GPL-3.0-or-later to match the source headers
("or (at your option) any later version"), fixing the SBOM licence field.

Add a CI workflow that builds wolfSSL + wolfTPM and asserts SBOM identity,
licence, options capture, reproducibility, and the wolfSSL dependency.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please apply this patch (I can't figure out a way to push to your repo):

From 89eae19fb3fe4079fbb73b5d504969433ad024b5 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 10 Jul 2026 13:49:25 -0700
Subject: [PATCH] SBOM: fix cmake artifact discovery, cmake 3.16 compat, and
 tab regex

---
 CMakeLists.txt | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a6a04b86..2a144813 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -809,9 +809,9 @@ if(BUILD_WOLFTPM_LIB)
     # this file drifts out of sync with the header.
     file(STRINGS "${CMAKE_CURRENT_SOURCE_DIR}/wolftpm/version.h"
          _sbom_version_line
-         REGEX "^#define[ \t]+LIBWOLFTPM_VERSION_STRING[ \t]+\"")
+         REGEX "^#define[ 	]+LIBWOLFTPM_VERSION_STRING[ 	]+\"")
     string(REGEX REPLACE
-           "^#define[ \t]+LIBWOLFTPM_VERSION_STRING[ \t]+\"([^\"]+)\".*" "\\1"
+           "^#define[ 	]+LIBWOLFTPM_VERSION_STRING[ 	]+\"([^\"]+)\".*" "\\1"
            SBOM_VERSION "${_sbom_version_line}")
     if(NOT SBOM_VERSION)
         message(FATAL_ERROR
@@ -866,11 +866,17 @@ if(BUILD_WOLFTPM_LIB)
     set(SBOM_SPDX_TV "${CMAKE_BINARY_DIR}/wolftpm-${SBOM_VERSION}.spdx")
     set(SBOM_STAGING "${CMAKE_BINARY_DIR}/_sbom_staging")
 
-    # Staged install path. install(TARGETS wolftpm) above hardcodes
-    # `LIBRARY DESTINATION lib`, so the .so always lands in lib/, never lib64/.
-    # ${CMAKE_SHARED_LIBRARY_SUFFIX} resolves to .so on Linux / .dylib on mac.
-    set(SBOM_LIB
-        "${SBOM_STAGING}/lib/libwolftpm${CMAKE_SHARED_LIBRARY_SUFFIX}")
+    # Staged install path. Derive the installed artifact name from the target
+    # itself so it tracks the real output - a versioned .so/.dylib, a static
+    # .a/.lib, or the Windows DLL - instead of a hardcoded
+    # libwolftpm${CMAKE_SHARED_LIBRARY_SUFFIX} that only matches a Unix shared
+    # build. install(TARGETS) sends the Windows DLL (RUNTIME) to bin/ and
+    # everything else (LIBRARY/ARCHIVE) to lib/.
+    if(WIN32 AND BUILD_SHARED_LIBS)
+        set(SBOM_LIB "${SBOM_STAGING}/bin/$<TARGET_FILE_NAME:wolftpm>")
+    else()
+        set(SBOM_LIB "${SBOM_STAGING}/lib/$<TARGET_FILE_NAME:wolftpm>")
+    endif()
 
     # wolfTPM links wolfSSL/wolfCrypt, so record wolfSSL as a dependency in the
     # SBOM (matches the autotools SBOM_DEP_WOLFSSL=yes).  Recording it needs the
@@ -899,9 +905,9 @@ if(BUILD_WOLFTPM_LIB)
         VERBATIM
         # Stage a clean install so gen-sbom inspects the same artifact layout
         # the user would actually ship.
-        COMMAND ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING}
+        COMMAND ${CMAKE_COMMAND} -E remove_directory ${SBOM_STAGING}
         COMMAND ${CMAKE_COMMAND} --install ${CMAKE_BINARY_DIR}
-                --prefix ${SBOM_STAGING}
+                --prefix ${SBOM_STAGING} --config $<CONFIG>
         COMMAND ${PYTHON3_CMD} ${WOLFSSL_DIR}/scripts/gen-sbom
                 --name wolftpm
                 --version ${SBOM_VERSION}
@@ -918,7 +924,7 @@ if(BUILD_WOLFTPM_LIB)
         # the target.
         COMMAND ${PYSPDXTOOLS_CMD} --infile ${SBOM_SPDX}
                 --outfile ${SBOM_SPDX_TV}
-        COMMAND ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING}
+        COMMAND ${CMAKE_COMMAND} -E remove_directory ${SBOM_STAGING}
         COMMENT "Generating SBOM for wolfTPM ${SBOM_VERSION}")
 
     # gen-sbom reads the staged library, so the library must build first.
-- 
2.50.1 (Apple Git-155)

@MarkAtwood

Copy link
Copy Markdown
Contributor Author

@dgarske Applied verbatim as 7f7aebe (kept your authorship via git am). Verified end-to-end against a cmake-built wolfssl 5.9.2: configure extracts 4.0.0 through the tab-class regex, the staged install resolves the artifact via $<TARGET_FILE_NAME:wolftpm>, and the sbom target generates all three files (cdx.json, spdx.json, spdx tag-value) with remove_directory doing the staging cleanup. I don't have a cmake 3.16 on hand, so that compat claim rides on your testing.

@dgarske dgarske merged commit e3ffda7 into wolfSSL:master Jul 10, 2026
197 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants