feat: add make sbom target#1050
Conversation
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Adds SBOM generation and install/uninstall targets to the autotools build, intended to produce CycloneDX + SPDX outputs and validate SPDX on the build host.
Changes:
- Add
make sbom,make install-sbom, andmake uninstall-sbomtargets plus related variables/cleanup inMakefile.am. - Extend
configure.acto discoverpython3/pyspdxtoolsand to break out libtool version-info components into separate substituted variables.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| Makefile.am | Adds SBOM generation/validation targets and output staging/cleanup rules. |
| configure.ac | Adds tool discovery for SBOM prerequisites and refactors libtool version-info variables. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Include AM_CPPFLAGS and config.h in the options snapshot so the configured feature set (WOLFSSH_SCP/SFTP/NO_WOLFSSH_SERVER/...) appears in the SBOM instead of being empty. - Discover static (.a), Mach-O (.dylib) and Windows (.dll/.lib) artifacts, not just a versioned .so. - Set SOURCE_DATE_EPOCH from the last git commit for reproducible output. - Clean staging tree and temp defines file via trap even on failure. - Record wolfssl as an SBOM dependency (--dep-wolfssl), version auto-detected from WOLFSSL_DIR/wolfssl/version.h. - configure.ac: detect git; drop unused version-info split + comment. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
There was a problem hiding this comment.
Tested make sbom end-to-end on macOS (--enable-all, gen-sbom from wolfssl feat/sbom-embedded, spdx-tools + pcpp installed): exits 0, all three outputs produced, the Mach-O .dylib discovery branch fires, the trap cleans up the staging tree and temp defines file, the configured feature macros (WOLFSSH_SFTP/SCP/CERTS/AGENT/SSHD, NO_INLINE, NDEBUG) now appear in the SBOM, and pyspdxtools re-validation passes clean. Two follow-ups below, none blocking.
Default SBOM_LICENSE_OVERRIDE to GPL-3.0-only so the SBOM records the correct license instead of NOASSERTION, and point the --dep-wolfssl note at wolfSSL/wolfssl#10343. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Move the make sbom / install-sbom / uninstall-sbom recipe out of Makefile.am into a reusable scripts/sbom.am fragment; Makefile.am now just declares the product facts (name, LICENSING, wolfssl dependency, GPL-3.0-only default) and includes it. Add a GitHub Actions workflow covering both SBOM paths: - autotools: build wolfSSL + wolfSSH, run make sbom, assert SPDX validity, CycloneDX identity, reproducibility, and the wolfssl dependency edge. - embedded: run gen-sbom against user_settings.h (via pcpp) + the wolfSSH source set, asserting the same identity/validity/reproducibility plus that user_settings.h options and the wolfssl dependency are captured. Both gracefully skip on a gen-sbom that predates the wolfSSL SBOM change. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Guard the SBOM_GEN wolfSSL fallback with $(if $(WOLFSSL_DIR),...) so an unset WOLFSSL_DIR leaves it empty (yielding the intended "set WOLFSSL_DIR" error) instead of resolving to an absolute /scripts/gen-sbom that could run an unrelated host script. Reword the fragment header to describe the actual gen-sbom resolution (vendored copy if present, else WOLFSSL_DIR) rather than claiming offline tarball builds that aren't wired up yet. Condition the README's wolfSSL-dependency statement on a sufficiently new gen-sbom to match the existing degradation note. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [High] Default SBOM license contradicts source license headers —
Makefile.am:98 - [Medium] SBOM workflow can pass without exercising the new target —
.github/workflows/sbom.yml:64-79
Review generated by Skoll.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingcc -dM -Efor the options snapshotgen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```
Outputs:
wolfssh-<version>.cdx.json,wolfssh-<version>.spdx.json,wolfssh-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolfssh-*.spdx.jsonpasses validation