diff --git a/Makefile.am b/Makefile.am index 62b00b38..3e354364 100644 --- a/Makefile.am +++ b/Makefile.am @@ -47,3 +47,47 @@ test: check # is necessary when they are installed somewhere other than /usr/local. AM_DISTCHECK_CONFIGURE_FLAGS=CPPFLAGS="-I@abs_top_srcdir@/include" --with-openssl=@OPENSSL_INSTALL_DIR@ --with-wolfssl=@WOLFSSL_INSTALL_DIR@ +# --------------------------------------------------------------------------- +# SBOM generation (CycloneDX + SPDX) via wolfssl's gen-sbom script +# --------------------------------------------------------------------------- +WOLFSSL_DIR ?= $(WOLFSSL_INSTALL_DIR) +WOLFSSL_INCLUDEDIR ?= $(WOLFSSL_DIR)/include +PRODUCT = wolfprov +VERSION = $(shell grep LIBWOLFPROV_VERSION_STRING $(srcdir)/include/wolfprovider/version.h 2>/dev/null | sed 's/.*"\(.*\)".*/\1/') +GEN_SBOM = $(WOLFSSL_DIR)/scripts/gen-sbom +SBOM_OPTS = --name $(PRODUCT) \ + --version $(VERSION) \ + --supplier "wolfSSL Inc." \ + --options-h $(WOLFSSL_INCLUDEDIR)/wolfssl/options.h \ + --lib $(builddir)/_sbom_stage$(libdir)/libwolfprov.so.0.0.0 + +SBOM_OUT_DIR = $(builddir) +SBOM_CDX = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).cdx.json +SBOM_SPDX_J = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx.json +SBOM_SPDX_TV = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx + +.PHONY: sbom install-sbom uninstall-sbom + +sbom: all + @if test -z "$(WOLFSSL_DIR)"; then \ + echo "ERROR: WOLFSSL_DIR not set. Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl"; \ + exit 1; \ + fi + @if test -z "$(PYTHON3)"; then \ + echo "ERROR: python3 not found in PATH."; exit 1; fi + $(MAKE) install DESTDIR=$(builddir)/_sbom_stage + $(PYTHON3) $(GEN_SBOM) $(SBOM_OPTS) + rm -rf $(builddir)/_sbom_stage + +install-sbom: sbom + $(MKDIR_P) $(DESTDIR)$(datadir)/doc/$(PRODUCT) + $(INSTALL_DATA) $(SBOM_CDX) $(SBOM_SPDX_J) $(SBOM_SPDX_TV) \ + $(DESTDIR)$(datadir)/doc/$(PRODUCT)/ + +uninstall-sbom: + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.cdx.json + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx.json + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx + +uninstall-hook: uninstall-sbom + diff --git a/README.md b/README.md index 38849669..5f7aba32 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,34 @@ Information on how to configure, build, and test wolfProvider can be found here: * Ed25519, Ed448 (signatures) +## SBOM / EU CRA Compliance + +wolfProvider generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and +SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA). + +```sh +make sbom WOLFSSL_DIR=/path/to/wolfssl +``` + +Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). `WOLFSSL_DIR` +must point to a wolfssl source tree containing `scripts/gen-sbom` (branch +`feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges). + +Output files in the build directory: + +| File | Format | +|------|--------| +| `wolfprov-1.1.1.cdx.json` | CycloneDX 1.6 | +| `wolfprov-1.1.1.spdx.json` | SPDX 2.3 JSON | +| `wolfprov-1.1.1.spdx` | SPDX 2.3 tag-value | + +```sh +make install-sbom # installs to $(datadir)/doc/wolfprov/ +make uninstall-sbom +``` + +For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md). + ## Support - [GitHub Issues](https://github.com/wolfssl/wolfProvider/issues) diff --git a/configure.ac b/configure.ac index 7e476c09..6df91a9b 100644 --- a/configure.ac +++ b/configure.ac @@ -26,6 +26,9 @@ USER_CFLAGS="$CFLAGS" AC_PROG_CC AC_LANG(C) +AC_CHECK_PROG([PYTHON3], [python3], [python3]) +AC_CHECK_PROG([PYSPDXTOOLS], [pyspdxtools], [pyspdxtools]) + # wolfSSL - check first so its -I/-L paths take precedence over OpenSSL prefix # which may contain stale wolfSSL headers from a different version AX_CHECK_WOLFSSL(