feat: add make sbom / install-sbom / uninstall-sbom targets#410
feat: add make sbom / install-sbom / uninstall-sbom targets#410MarkAtwood wants to merge 4 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds SBOM generation and install/uninstall targets to the autotools build so wolfProvider can emit CycloneDX 1.6 and SPDX 2.3 artifacts (via wolfSSL’s gen-sbom script), plus configure-time discovery of required tooling.
Changes:
- Add
make sbom,make install-sbom, andmake uninstall-sbomtargets that stage-install the built artifacts and generate CycloneDX/SPDX outputs. - Add
AC_CHECK_PROGchecks forpython3andpyspdxtoolsinconfigure.ac.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| Makefile.am | Adds SBOM generation and install/uninstall targets and related variables. |
| configure.ac | Adds checks for python3 and pyspdxtools availability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Adds CycloneDX + SPDX SBOM generation via wolfssl's gen-sbom script. Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl wolfProvider has no generated options.h; uses installed wolfssl's options.h. WOLFSSL_DIR defaults to WOLFSSL_INSTALL_DIR. SONAME is libwolfprov.so.0.0.0 (libtool default, no version-info set).
a93e1f6 to
8db5499
Compare
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [High] SBOM version lookup breaks clean out-of-tree builds and overrides Automake VERSION —
Makefile.am:60-71 - [Medium] pyspdxtools probe is never enforced by the sbom target —
configure.ac:30, Makefile.am:80-83
Review generated by Skoll.
|
Both Skoll findings are against code that isn't in this PR (verified against the current head):
The recipe was refactored into the shared |
Detailed verification — both Skoll findings are against code that isn't in this PRChecked two ways against the reviewed head Finding 1 — "VERSION grep at
|
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [High] SBOM option capture omits configured compiler defines —
scripts/sbom.am:129-131 - [Low] SBOM workflow executes mutable external gen-sbom ref —
.github/workflows/sbom.yml:42-47
Review generated by Skoll.
dgarske
left a comment
There was a problem hiding this comment.
@sameehj or @MarkAtwood please see feedback #410 (review)
|
On the second finding (mutable gen-sbom ref in the workflow): pinned. The |
Replace the inline SBOM recipe with the shared, product-agnostic scripts/sbom.am used across the wolfSSL autotools stack. wolfProvider just declares itself (a libwolfprov shared library that links both wolfSSL and OpenSSL) and includes the fragment, gaining reproducible output, license/version pinning, SPDX validation, dependency recording (wolfssl + openssl), and an install/uninstall hook. Switch configure to AC_PATH_PROG + AC_SUBST, expand the README, and add a SBOM CI workflow. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Sync scripts/sbom.am byte-for-byte with the canonical copy in the wolfSSL repository (wolfSSL/wolfssl#10343) so the SBOM recipe cannot fork from the single source of truth. wolfProvider carried the oldest variant of the fragment, missing the SBOM_OPTIONS_H branch, the SBOM_CONFIG_H override, the AM_CFLAGS/CFLAGS macro capture, and sbomdir = $(docdir). These are inert for wolfProvider today (its feature flags come through config.h and it does not set SBOM_OPTIONS_H), so this is a maintenance sync, not a behavior change. `diff scripts/sbom.am <wolfssl>/scripts/sbom.am` is now empty. The SBOM_DEP_WOLFSSL = yes / SBOM_DEP_OPENSSL = yes settings in Makefile.am are unaffected (they override the fragment's ?= defaults), so the SBOM still records both wolfSSL and OpenSSL as dependencies.
4109012 to
ecc3e2e
Compare
Summary
make sbom,make install-sbom, andmake uninstall-sbomtargets to wolfProvider's autotools build for EU CRA compliance evidence (CycloneDX 1.6 + SPDX 2.3 output)AC_CHECK_PROGchecks forpython3andpyspdxtoolsinconfigure.acUsage
WOLFSSL_DIRmust point to a wolfssl checkout containingscripts/gen-sbom(branchfeat/sbom-embedded, ormasteronce wolfSSL/wolfssl#10343 merges).Notes
wolfprovthroughout (matchesAC_INITandlib_LTLIBRARIES), notwolfprovideroptions.h; uses installed wolfssl'soptions.hvia$(WOLFSSL_INCLUDEDIR)/wolfssl/options.h.WOLFSSL_DIRdefaults to$(WOLFSSL_INSTALL_DIR)(set by--with-wolfssl=at configure time)libwolfprov.so.0.0.0(no-version-infoset) —--libpath uses this literal, not the package version1.1.1--with-wolfssl,WOLFSSL_INSTALL_DIRmay be malformed; passWOLFSSL_DIR=explicitly in that case