cra-kit: fix commercial-license SBOM generation and refresh samples

Plumb CRA_LICENSE_TEXT through generate-wolfssl-sbom.sh (gen-sbom/make
sbom hard-fail on a LicenseRef-* override without it); scope the
commercial relicense to the wolfssl package only; correct the stale
pkg:generic PURL claim; validate the embedded output dir; regenerate
pinned samples against gen-sbom 1.1 and re-pin product checksums.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

Author: sameehj

.github/workflows/cra-kit.yml

@@ -10,12 +10,17 @@ on:
       - 'cra-kit/**'
       - '.github/workflows/cra-kit.yml'
 
+# Least-privilege default; this workflow only needs to read the repo contents.
+permissions:
+  contents: read
+
 jobs:
   validate-auditor-packet:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      # Actions pinned to commit SHAs (supply-chain hygiene), not mutable tags.
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: '3.x'
       - name: Validate pinned auditor packet

cra-kit/README.md

@@ -86,7 +86,15 @@ SBOM = your job.
 |---------|-------|------------------------|
 | **A. Linux / server / Yocto / package** | `./configure && make` | `make sbom` in wolfSSL tree |
 | **B. Embedded / RTOS / IDE** | `user_settings.h` + your Makefile / Keil / Zephyr / ESP-IDF | `./scripts/generate-embedded-sbom.sh` (kit demo) or upstream `gen-sbom` |
-| **C. Commercial license** | Either | `CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial ./scripts/generate-wolfssl-sbom.sh` |
+| **C. Commercial license** | Either | `CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial CRA_LICENSE_TEXT=/path/to/commercial-license.txt ./scripts/generate-wolfssl-sbom.sh` |
+
+> **Commercial (`LicenseRef-*`) overrides require `CRA_LICENSE_TEXT`** pointing at
+> the plain-text licence you received from wolfSSL. SPDX 2.3 §10.1 requires the
+> licence text to be embedded for any `LicenseRef-*`; both `gen-sbom` and
+> `make sbom` hard-fail without it. A stock SPDX id (e.g. `Apache-2.0`) needs no
+> text. If you don't have the text file handy, use
+> [`scripts/make-commercial-sample.sh`](scripts/make-commercial-sample.sh) to
+> derive a commercial sample from the pinned GPL samples instead.
 
 **Every manufacturer still:**
 
@@ -122,7 +130,8 @@ CRA_SBOM_MODE=embedded ./scripts/generate-wolfssl-sbom.sh   # rarely used for pa
 ./scripts/generate-embedded-sbom.sh         # writes wolfssl-component-embedded/
 
 CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial \
-    ./scripts/generate-wolfssl-sbom.sh      # commercial-license sample
+    CRA_LICENSE_TEXT=/path/to/wolfssl-commercial-license.txt \
+    ./scripts/generate-wolfssl-sbom.sh      # commercial-license sample (text required)
 ./scripts/make-commercial-sample.sh         # derive from pinned GPL samples (no rebuild)
 ```
 

cra-kit/ROADMAP.md

@@ -7,10 +7,10 @@ Honest status for customer conversations. This is **not** a commitment schedule.
 | **SBOM** (SPDX 2.3 + CycloneDX 1.6) | **Available** | `make sbom` or `scripts/gen-sbom` |
 | **Config-accurate build properties** | **Available** | Read `wolfssl:build:*` in `.cdx.json` |
 | **Embedded source-merkle checksum** | **Available** | `gen-sbom` with `--srcs` (no `libwolfssl.a` required) |
-| **Commercial license in SBOM** | **Available** | `CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial ./scripts/generate-wolfssl-sbom.sh` (or `make-commercial-sample.sh` to derive from pinned GPL samples) |
+| **Commercial license in SBOM** | **Available** | `CRA_LICENSE_OVERRIDE=LicenseRef-wolfSSL-Commercial CRA_LICENSE_TEXT=/path/to/commercial-license.txt ./scripts/generate-wolfssl-sbom.sh` (a `LicenseRef-*` override requires the licence text; or use `make-commercial-sample.sh` to derive from pinned GPL samples) |
 | **Reproducible SBOM timestamps** | **Available** | `SOURCE_DATE_EPOCH` |
 | **OmniBOR / `make bomsh`** | **Available** | Linux **build host** only; optional for CRA |
-| **`pkg:github` PURL** | **Available** | Auto-canonicalised by `generate-wolfssl-sbom.sh` post-process; resolves in OSV / GHSA / Snyk / Trivy without per-vendor mapping |
+| **`pkg:github` PURL** | **Available** | Emitted natively by `gen-sbom`; resolves in OSV / GHSA / Snyk / Trivy without per-vendor mapping |
 | **Cryptographic-asset draft** (CycloneDX 1.6) | **Draft sample** | Hand-rolled `wolfssl-<ver>.cbom-draft.cdx.json` alongside SBOM (4–6 starter entries); upstream automation: roadmap |
 | **Formal CBOM** (`cryptographic-asset` profile, all primitives) | **Roadmap** | Use draft sample + `wolfssl:build:*` properties |
 | **VEX templates / automation** | **Roadmap** | Your scanner + wolfSSL [advisories](https://www.wolfssl.com/docs/security-vulnerabilities/) |

…/auditor-packet/README-auditor-packet.md cra-kit/auditor-packet/README.mdcra-kit/auditor-packet/README-auditor-packet.md renamed to cra-kit/auditor-packet/README.md cra-kit/auditor-packet/README-auditor-packet.md renamed to cra-kit/auditor-packet/README.md

@@ -35,7 +35,7 @@
           "hashes": [
             {
               "alg": "SHA-256",
-              "content": "265cd1575f7a350295ba1414494f2cc93bb895223a9732dcfb231bcecb6d3bbd"
+              "content": "bc8c6b9f5fbe829edb594dc74bcb95a202ca1b402ab1dca60f858aa9fe2ec6e3"
             }
           ]
         }

cra-kit/auditor-packet/product-acme-connect-gateway.cdx.json

@@ -16,7 +16,7 @@
       "spdxDocument": "file:./wolfssl-component/wolfssl-5.9.1.spdx.json",
       "checksum": {
         "algorithm": "SHA256",
-        "checksumValue": "36fdc0c8a192a0fadc4c5024ff75ecee3a56dd8a431dfb25bfa8afcf467cfdef"
+        "checksumValue": "a60bda42e4e0c874f21abaed7b34e72ac6ea329662fbac33f8487608753042f2"
       }
     }
   ],
@@ -25,7 +25,7 @@
       "SPDXID": "SPDXRef-Package-Product",
       "name": "acme-connect-gateway",
       "versionInfo": "1.0.0",
-      "supplier": "Organization: Acme Industries",
+      "supplier": "Organization: Acme Industries (fictional example)",
       "downloadLocation": "NOASSERTION",
       "filesAnalyzed": false
     }

cra-kit/auditor-packet/product-acme-connect-gateway.spdx.json

@@ -28,10 +28,10 @@
         },
         {
           "algorithm": "SHA256",
-          "checksumValue": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+          "checksumValue": "0000000000000000000000000000000000000000000000000000000000000000"
         }
       ],
-      "comment": "OmniBOR identifier for the linked binary: gitoid:blob:sha1:0000000000000000000000000000000000000001 — sample placeholder. Real builds emit the actual gitoid covering all .o inputs."
+      "comment": "SENTINEL VALUES — both the SHA-1 gitoid and the SHA-256 here are all-zero placeholders, NOT real digests. A compiled .so cannot share the source archive's hash, so this sample deliberately avoids any real-looking value a customer might copy. Real builds emit the actual binary digests and the gitoid covering all .o inputs."
     }
   ],
   "files": [

cra-kit/auditor-packet/wolfssl-component/omnibor.wolfssl-5.9.1.spdx.json.sample

@@ -12,7 +12,7 @@
           "type": "application",
           "author": "wolfSSL Inc.",
           "name": "wolfssl-sbom-gen",
-          "version": "1.0"
+          "version": "1.1"
         }
       ]
     },
@@ -44,6 +44,22 @@
         {
           "type": "vcs",
           "url": "https://github.com/wolfSSL/wolfssl"
+        },
+        {
+          "type": "website",
+          "url": "https://www.wolfssl.com/"
+        },
+        {
+          "type": "issue-tracker",
+          "url": "https://github.com/wolfSSL/wolfssl/issues"
+        },
+        {
+          "type": "advisories",
+          "url": "https://github.com/wolfSSL/wolfssl/security/advisories"
+        },
+        {
+          "type": "security-contact",
+          "url": "https://www.wolfssl.com/.well-known/security.txt"
         }
       ],
       "properties": [
@@ -286,6 +302,26 @@
         {
           "name": "wolfssl:build:WOLFSSL_X86_64_BUILD",
           "value": "1"
+        },
+        {
+          "name": "wolfssl:sbom:hash-kind",
+          "value": "library-binary"
+        }
+      ],
+      "components": [
+        {
+          "type": "file",
+          "name": "libwolfssl.44.dylib",
+          "hashes": [
+            {
+              "alg": "SHA-1",
+              "content": "def1d74ce45e708d8230084cdea4f45a9cad144c"
+            },
+            {
+              "alg": "SHA-256",
+              "content": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+            }
+          ]
         }
       ]
     }

cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cdx.json

@@ -2,7 +2,7 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.6",
-  "serialNumber": "urn:uuid:80b023d5-8a5d-4e17-9e18-f3d5c7c9762e",
+  "serialNumber": "urn:uuid:554e996c-5c73-46f2-a642-5c1dc0c853d8",
   "version": 1,
   "metadata": {
     "timestamp": "2026-05-12T16:59:40Z",
@@ -12,7 +12,7 @@
           "type": "application",
           "author": "wolfSSL Inc.",
           "name": "wolfssl-sbom-gen",
-          "version": "1.0"
+          "version": "1.1"
         }
       ]
     },
@@ -44,6 +44,22 @@
         {
           "type": "vcs",
           "url": "https://github.com/wolfSSL/wolfssl"
+        },
+        {
+          "type": "website",
+          "url": "https://www.wolfssl.com/"
+        },
+        {
+          "type": "issue-tracker",
+          "url": "https://github.com/wolfSSL/wolfssl/issues"
+        },
+        {
+          "type": "advisories",
+          "url": "https://github.com/wolfSSL/wolfssl/security/advisories"
+        },
+        {
+          "type": "security-contact",
+          "url": "https://www.wolfssl.com/.well-known/security.txt"
         }
       ],
       "properties": [
@@ -287,10 +303,30 @@
           "name": "wolfssl:build:WOLFSSL_X86_64_BUILD",
           "value": "1"
         },
+        {
+          "name": "wolfssl:sbom:hash-kind",
+          "value": "library-binary"
+        },
         {
           "name": "wolfssl:license:override",
           "value": "LicenseRef-wolfSSL-Commercial"
         }
+      ],
+      "components": [
+        {
+          "type": "file",
+          "name": "libwolfssl.44.dylib",
+          "hashes": [
+            {
+              "alg": "SHA-1",
+              "content": "def1d74ce45e708d8230084cdea4f45a9cad144c"
+            },
+            {
+              "alg": "SHA-256",
+              "content": "391e86477f5eee025e677a24b13e2d9a4d3e4c18d88e6359853ebf1c9932279e"
+            }
+          ]
+        }
       ]
     }
   },

cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.cdx.json

@@ -3,11 +3,11 @@
   "dataLicense": "CC0-1.0",
   "SPDXID": "SPDXRef-DOCUMENT",
   "name": "wolfssl-5.9.1",
-  "documentNamespace": "urn:uuid:cedcdaaa-b983-4ce1-83e3-ed7337232a49",
+  "documentNamespace": "urn:uuid:59b18c7a-8572-4743-85f2-ffeac74c310d",
   "creationInfo": {
     "creators": [
       "Organization: wolfSSL Inc.",
-      "Tool: wolfssl-sbom-gen-1.0"
+      "Tool: wolfssl-sbom-gen-1.1"
     ],
     "created": "2026-05-12T16:59:40Z"
   },
@@ -29,6 +29,14 @@
       "licenseDeclared": "LicenseRef-wolfSSL-Commercial",
       "copyrightText": "Copyright (C) 2006-2026 wolfSSL Inc.",
       "comment": "License override applied: LicenseRef-wolfSSL-Commercial. Build configuration defines: ECC_MIN_KEY_SZ, ECC_SHAMIR, ECC_TIMING_RESISTANT, ERROR_QUEUE_PER_THREAD, GCM_TABLE_4BIT, HAVE_AESGCM, HAVE_CHACHA, HAVE_C___ATOMIC, HAVE_DH_DEFAULT_PARAMS, HAVE_ECC, HAVE_ENCRYPT_THEN_MAC, HAVE_EXTENDED_MASTER, HAVE_FFDHE_2048, HAVE_GETPID, HAVE_HASHDRBG, HAVE_HKDF, HAVE_POLY1305, HAVE_SERVER_RENEGOTIATION_INFO, HAVE_SNI, HAVE_SUPPORTED_CURVES, HAVE_THREAD_LS, HAVE_TLS_EXTENSIONS, HAVE_WC_INTROSPECTION, HAVE___UINT128_T, NO_DES3, NO_DES3_TLS_SUITES, NO_DO178, NO_DSA, NO_MD4, NO_MD5, NO_OLD_TLS, NO_PSK, NO_RC4, TFM_TIMING_RESISTANT, WC_NO_ASYNC_THREADING, WC_RSA_BLINDING, WC_RSA_PSS, WOLFSSL_ARMASM_NO_HW_CRYPTO, WOLFSSL_ASN_PRINT, WOLFSSL_ASN_TEMPLATE, WOLFSSL_BASE64_ENCODE, WOLFSSL_DRBG_SHA512, WOLFSSL_HAVE_ASSERT_H, WOLFSSL_HAVE_ATOMIC_H, WOLFSSL_HAVE_MLKEM, WOLFSSL_PQC_HYBRIDS, WOLFSSL_PSS_LONG_SALT, WOLFSSL_SHA224, WOLFSSL_SHA3, WOLFSSL_SHA384, WOLFSSL_SHA512, WOLFSSL_SHAKE128, WOLFSSL_SHAKE256, WOLFSSL_SP_MATH_ALL, WOLFSSL_SP_X86_64, WOLFSSL_SYS_CA_CERTS, WOLFSSL_TLS13, WOLFSSL_TLS_NO_MLKEM_STANDALONE, WOLFSSL_USE_ALIGN, WOLFSSL_X86_64_BUILD",
+      "annotations": [
+        {
+          "annotationDate": "2026-05-12T16:59:40Z",
+          "annotationType": "OTHER",
+          "annotator": "Tool: wolfssl-sbom-gen-1.1",
+          "comment": "wolfssl:sbom:hash-kind=library-binary"
+        }
+      ],
       "externalRefs": [
         {
           "referenceCategory": "SECURITY",
@@ -39,6 +47,11 @@
           "referenceCategory": "PACKAGE-MANAGER",
           "referenceType": "purl",
           "referenceLocator": "pkg:github/wolfSSL/wolfssl@v5.9.1"
+        },
+        {
+          "referenceCategory": "SECURITY",
+          "referenceType": "advisory",
+          "referenceLocator": "https://github.com/wolfSSL/wolfssl/security/advisories"
         }
       ]
     }