diff --git a/Makefile.am b/Makefile.am index 6ef17b86..c9a56c3a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -163,6 +163,48 @@ endif test: check #DISTCLEANFILES+= wolfssl-config +# SBOM generation. Requires WOLFSSL_DIR pointing to a wolfssl source tree +# containing scripts/gen-sbom (feat/sbom-embedded branch, or master once +# wolfSSL/wolfssl#10343 merges). wolfCLU ships a binary, not a .so, so the +# artifact hash is computed from the compiled sources via --srcs. +WOLFSSL_DIR ?= +PRODUCT = wolfclu +VERSION = $(shell grep CLUWOLFSSL_VERSION_STRING $(srcdir)/wolfclu/version.h 2>/dev/null | sed 's/.*"\(.*\)".*/\1/') +GEN_SBOM = $(WOLFSSL_DIR)/scripts/gen-sbom +WOLFSSL_INCLUDEDIR ?= $(WOLFSSL_DIR)/include +SBOM_OPTS = --name $(PRODUCT) \ + --version $(VERSION) \ + --supplier "wolfSSL Inc." \ + --options-h $(WOLFSSL_INCLUDEDIR)/wolfssl/options.h \ + --srcs $(addprefix $(srcdir)/,$(wolfssl_SOURCES)) + +SBOM_OUT_DIR = $(builddir) +SBOM_CDX = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).cdx.json +SBOM_SPDX_J = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx.json +SBOM_SPDX_TV = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx + +.PHONY: sbom install-sbom uninstall-sbom + +sbom: all + @if test -z "$(WOLFSSL_DIR)"; then \ + echo "ERROR: WOLFSSL_DIR not set. Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl"; \ + exit 1; \ + fi + @if test -z "$(PYTHON3)"; then echo "ERROR: python3 not found in PATH."; exit 1; fi + $(PYTHON3) $(GEN_SBOM) $(SBOM_OPTS) + +install-sbom: sbom + $(MKDIR_P) $(DESTDIR)$(datadir)/doc/$(PRODUCT) + $(INSTALL_DATA) $(SBOM_CDX) $(SBOM_SPDX_J) $(SBOM_SPDX_TV) \ + $(DESTDIR)$(datadir)/doc/$(PRODUCT)/ + +uninstall-sbom: + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.cdx.json + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx.json + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx + +uninstall-hook: uninstall-sbom + maintainer-clean-local: -rm Makefile.in diff --git a/README.md b/README.md index 270f3e54..17dc9a8e 100644 --- a/README.md +++ b/README.md @@ -334,6 +334,34 @@ wolfssl ocsp \ The `-index` file uses OpenSSL's CA index format. +## SBOM / EU CRA Compliance + +wolfCLU generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and +SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA). + +```sh +make sbom WOLFSSL_DIR=/path/to/wolfssl +``` + +Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). `WOLFSSL_DIR` +must point to a wolfssl source tree containing `scripts/gen-sbom` (branch +`feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges). + +Output files in the build directory: + +| File | Format | +|------|--------| +| `wolfclu-0.2.0.cdx.json` | CycloneDX 1.6 | +| `wolfclu-0.2.0.spdx.json` | SPDX 2.3 JSON | +| `wolfclu-0.2.0.spdx` | SPDX 2.3 tag-value | + +```sh +make install-sbom # installs to $(datadir)/doc/wolfclu/ +make uninstall-sbom +``` + +For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md). + ## Contacts Please contact support@wolfssl.com with any questions or comments. diff --git a/configure.ac b/configure.ac index b125a366..e9166595 100644 --- a/configure.ac +++ b/configure.ac @@ -59,6 +59,10 @@ AM_PATH_PYTHON([3.6],, [:]) AC_SUBST([PYTHON]) AM_CONDITIONAL([HAVE_PYTHON], [test "$PYTHON" != ":"]) +# SBOM generation prerequisites +AC_CHECK_PROG([PYTHON3], [python3], [python3]) +AC_CHECK_PROG([PYSPDXTOOLS], [pyspdxtools], [pyspdxtools]) + # Checks for headers/libraries AC_CHECK_HEADERS([sys/time.h string.h termios.h unistd.h]) AC_CHECK_SIZEOF(long long, 8)