Skip to content

Commit 2576c04

Browse files
MarkAtwoodsameehj
authored andcommitted
docs(sbom): correct NTIA/SPDX claims; fix broken anchor
Three documentation corrections from the wolfssl-1zj review: * README.md previously said 'Both produce SPDX 2.3 + CycloneDX 1.6 JSON validated against NTIA minimum elements'. Neither entry point runs an NTIA-minimum-elements checker. The autotools 'make sbom' path runs pyspdxtools (SPDX-spec validation, not NTIA-specific) and gates the build on it; the standalone embedded path runs no validation by default. Replace with text saying the SBOMs are intended to satisfy NTIA minimum elements, that only the autotools path runs SPDX validation, and that neither path runs an NTIA checker by default. Matters because downstream integrators quoting this README to auditors must not be misled into claiming NTIA validation has been performed (1zj.13). * doc/CRA.md previously named ntia-conformance-checker alongside pyspdxtools as a tool that 'will reject the SBOM otherwise' when a LicenseRef has no hasExtractedLicensingInfos block. ntia-conformance-checker validates the NTIA Minimum Elements (supplier, component name, version, unique ID, dependency relationships, author, timestamp) -- it does NOT enforce SPDX 2.3 \xc2\xa710.1 extracted-text completeness, which is a SPDX schema concern enforced by pyspdxtools. A reader who relied on the claim would get a false pass on a malformed LicenseRef SBOM. Drop the misleading mention; add a sentence stating what ntia-conformance-checker actually checks (1zj.16). * doc/SBOM.md anchor link 'See [Prerequisites for make bomsh] (#3-make-bomsh)' resolved to the top of section 3 instead of the \xc2\xa73.1 prerequisites subsection. Fix to the GFM auto-anchor for '### 3.1 Prerequisites for make bomsh', which is #31-prerequisites-for-make-bomsh (1zj.18). Closes wolfssl-1zj.13, wolfssl-1zj.16, wolfssl-1zj.18
1 parent c13f384 commit 2576c04

3 files changed

Lines changed: 14 additions & 7 deletions

File tree

README.md

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -45,9 +45,13 @@ Act (CRA) compliance via two entry points:
4545
- `make sbom` for Linux server / Debian / RPM / Yocto / FIPS-Ready
4646
builds that already use `./configure && make`.
4747

48-
Both produce SPDX 2.3 + CycloneDX 1.6 JSON validated against NTIA
49-
minimum elements. See `doc/SBOM.md` for per-toolchain recipes and the
50-
full flag reference.
48+
Both produce SPDX 2.3 + CycloneDX 1.6 JSON intended to satisfy the
49+
NTIA minimum elements. The `make sbom` path additionally runs
50+
SPDX-spec validation via `pyspdxtools` and gates the build on it;
51+
the standalone path validates only on demand (see `doc/SBOM.md`
52+
§ 1.3). Neither path runs an NTIA-minimum-elements checker by
53+
default. See `doc/SBOM.md` for per-toolchain recipes and the full
54+
flag reference.
5155

5256
## OmniBOR / Bomsh
5357

doc/CRA.md

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -181,9 +181,12 @@ make sbom \
181181
`SBOM_LICENSE_TEXT` is **required** whenever `SBOM_LICENSE_OVERRIDE` uses a
182182
custom `LicenseRef-*` identifier. SPDX 2.3 §10.1 requires the actual licence
183183
text to be embedded in `hasExtractedLicensingInfos` for any LicenseRef used in
184-
the document; conformant validators (e.g. `pyspdxtools`, `ntia-conformance-checker`)
185-
will reject the SBOM otherwise. The file should contain the plain-text
186-
licence agreement you received from wolfSSL.
184+
the document; SPDX-conformant validators (e.g. `pyspdxtools`) will reject the
185+
SBOM otherwise. `ntia-conformance-checker` validates a separate set of NTIA
186+
minimum elements (supplier, component name, version, unique identifier,
187+
dependency relationships, author, timestamp) and will **not** catch a missing
188+
extracted-text block — do not rely on it to gate this case. The file should
189+
contain the plain-text licence agreement you received from wolfSSL.
187190

188191
If `SBOM_LICENSE_OVERRIDE` is set to a `LicenseRef-*` and `SBOM_LICENSE_TEXT`
189192
is missing, `make sbom` exits with an error rather than emit an invalid SBOM

doc/SBOM.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -381,7 +381,7 @@ make bomsh
381381
```
382382

383383
Additionally requires `bomtrace3` and `bomsh_create_bom.py` in `PATH`.
384-
See [Prerequisites for make bomsh](#3-make-bomsh) below.
384+
See [Prerequisites for make bomsh](#31-prerequisites-for-make-bomsh) below.
385385

386386
All tools are detected by `configure`; either target fails with a clear
387387
error message if a required tool is missing.

0 commit comments

Comments
 (0)