feat: add make sbom target

Makefile.am

@@ -79,3 +79,74 @@ merge-clean:
 	@find ./ | $(GREP) \.OTHER | xargs rm -f
 	@find ./ | $(GREP) \.BASE | xargs rm -f
 	@find ./ | $(GREP) \~$$ | xargs rm -f
+
+# SBOM generation (CRA compliance)
+SBOM_CDX     = wolfssh-$(PACKAGE_VERSION).cdx.json
+SBOM_SPDX    = wolfssh-$(PACKAGE_VERSION).spdx.json
+SBOM_SPDX_TV = wolfssh-$(PACKAGE_VERSION).spdx
+sbomdir      = $(datadir)/doc/$(PACKAGE)
+
+.PHONY: sbom install-sbom uninstall-sbom
+
+sbom:
+	@if test -z "$(PYTHON3)"; then \
+	    echo ""; \
+	    echo "ERROR: 'python3' not found in PATH. Cannot generate SBOM."; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	@if test -z "$(PYSPDXTOOLS)"; then \
+	    echo ""; \
+	    echo "ERROR: 'pyspdxtools' not found in PATH. Cannot validate SBOM."; \
+	    echo "       Install: pip install spdx-tools"; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	@if test -z "$(WOLFSSL_DIR)"; then \
+	    echo ""; \
+	    echo "ERROR: WOLFSSL_DIR is not set. Cannot locate gen-sbom."; \
+	    echo "       Re-run: make sbom WOLFSSL_DIR=/path/to/wolfssl"; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	@if test ! -f "$(WOLFSSL_DIR)/scripts/gen-sbom"; then \
+	    echo ""; \
+	    echo "ERROR: $(WOLFSSL_DIR)/scripts/gen-sbom not found."; \
+	    echo "       Use a wolfSSL tree that includes SBOM support."; \
+	    echo ""; \
+	    exit 1; \
+	fi
+	rm -rf $(abs_builddir)/_sbom_staging $(abs_builddir)/_sbom_defines.h
+	$(MAKE) install DESTDIR=$(abs_builddir)/_sbom_staging
+	$(CC) -dM -E -I$(srcdir) $(CPPFLAGS) -x c /dev/null \
+	    > $(abs_builddir)/_sbom_defines.h
+	@set -e; \
+	_so=$$(ls $(abs_builddir)/_sbom_staging$(libdir)/libwolfssh.so.[0-9]*.[0-9]*.[0-9]* 2>/dev/null | head -1); \
+	test -n "$$_so" || { echo "ERROR: libwolfssh.so not found in staging dir" >&2; exit 1; }; \
+	$(PYTHON3) $(WOLFSSL_DIR)/scripts/gen-sbom \
+	    --name wolfssh \
+	    --version $(PACKAGE_VERSION) \
+	    --supplier "wolfSSL Inc." \
+	    --license-file $(srcdir)/LICENSING \
+	    --options-h $(abs_builddir)/_sbom_defines.h \
+	    --lib "$$_so" \
+	    $(if $(SBOM_LICENSE_OVERRIDE),--license-override $(SBOM_LICENSE_OVERRIDE)) \
+	    $(if $(SBOM_LICENSE_TEXT),--license-text $(SBOM_LICENSE_TEXT)) \
+	    --cdx-out $(abs_builddir)/$(SBOM_CDX) \
+	    --spdx-out $(abs_builddir)/$(SBOM_SPDX)
+	rm -rf $(abs_builddir)/_sbom_staging $(abs_builddir)/_sbom_defines.h
+	$(PYSPDXTOOLS) --infile $(abs_builddir)/$(SBOM_SPDX) \
+	    --outfile $(abs_builddir)/$(SBOM_SPDX_TV)
+
+install-sbom: sbom
+	$(MKDIR_P) $(DESTDIR)$(sbomdir)
+	$(INSTALL_DATA) $(SBOM_CDX) $(DESTDIR)$(sbomdir)/
+	$(INSTALL_DATA) $(SBOM_SPDX) $(DESTDIR)$(sbomdir)/
+	$(INSTALL_DATA) $(SBOM_SPDX_TV) $(DESTDIR)$(sbomdir)/
+
+uninstall-sbom:
+	-rm -f $(DESTDIR)$(sbomdir)/$(SBOM_CDX)
+	-rm -f $(DESTDIR)$(sbomdir)/$(SBOM_SPDX)
+	-rm -f $(DESTDIR)$(sbomdir)/$(SBOM_SPDX_TV)
+
+CLEANFILES = $(SBOM_CDX) $(SBOM_SPDX) $(SBOM_SPDX_TV)

README.md

@@ -627,3 +627,25 @@ WOLFSSH APPLICATIONS
 
 wolfSSH comes with a server daemon and a command line shell tool. Check out
 the apps directory for more information.
+
+## SBOM / EU CRA Compliance
+
+wolfSSH generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and
+SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA).
+
+```sh
+make sbom WOLFSSL_DIR=/path/to/wolfssl
+```
+
+Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). `WOLFSSL_DIR`
+must point to a wolfssl source tree containing `scripts/gen-sbom` (branch
+`feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges).
+
+Output: `wolfssh-<version>.cdx.json`, `wolfssh-<version>.spdx.json`, `wolfssh-<version>.spdx`
+
+```sh
+make install-sbom    # installs to $(datadir)/doc/wolfssh/
+make uninstall-sbom
+```
+
+For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md).

configure.ac

@@ -18,7 +18,21 @@ AC_ARG_PROGRAM
 AC_CONFIG_MACRO_DIR([m4])
 AC_CONFIG_HEADERS([config.h])
 
-WOLFSSH_LIBRARY_VERSION=20:0:2
+# The three numbers in the libwolfssh.so.*.*.* file name.
+
+# increment if interfaces have been removed or changed
+WOLFSSH_LIBRARY_VERSION_FIRST=20
+
+# increment if interfaces have been added
+# set to zero if WOLFSSH_LIBRARY_VERSION_FIRST is incremented
+WOLFSSH_LIBRARY_VERSION_SECOND=0
+
+# increment if source code has changed
+# set to zero if WOLFSSH_LIBRARY_VERSION_FIRST is incremented or
+# WOLFSSH_LIBRARY_VERSION_SECOND is incremented
+WOLFSSH_LIBRARY_VERSION_THIRD=2
+
+WOLFSSH_LIBRARY_VERSION=${WOLFSSH_LIBRARY_VERSION_FIRST}:${WOLFSSH_LIBRARY_VERSION_SECOND}:${WOLFSSH_LIBRARY_VERSION_THIRD}
 #                        | | |
 #                  +-----+ | +----+
 #                  |       |      |
@@ -32,6 +46,9 @@ WOLFSSH_LIBRARY_VERSION=20:0:2
 #                  +- increment if interfaces have been added, removed
 #                       or changed
 AC_SUBST([WOLFSSH_LIBRARY_VERSION])
+AC_SUBST([WOLFSSH_LIBRARY_VERSION_FIRST])
+AC_SUBST([WOLFSSH_LIBRARY_VERSION_SECOND])
+AC_SUBST([WOLFSSH_LIBRARY_VERSION_THIRD])
 
 LT_PREREQ([2.4.3])
 LT_INIT([disable-static win32-dll])
@@ -309,6 +326,9 @@ AC_SUBST([AM_CPPFLAGS])
 AC_SUBST([AM_CFLAGS])
 AC_SUBST([AM_LDFLAGS])
 
+AC_PATH_PROG([PYTHON3], [python3])
+AC_PATH_PROG([PYSPDXTOOLS], [pyspdxtools])
+
 # FINAL
 AC_CONFIG_FILES([Makefile wolfssh/version.h])