sbom: address Skoll review findings

Thread a new SBOM_DEP_VERSIONS make variable to gen-sbom's --dep-version
so autotools packagers without pkg-config avoid NOASSERTION dep versions,
resolve each dependency version once instead of per-format, drop a dead
FIPS bucket branch in gen-advisory, and make the gen-advisory exec bit
match gen-sbom.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

Author: sameehj

Makefile.am

@@ -470,6 +470,14 @@ WOLFSSL_LIB_DSO_BASENAMES = \
 #                          their own URL should set this to a URI they
 #                          actually serve (e.g.
 #                          https://example.com/sbom/wolfssl-X.Y.Z.spdx.json).
+#   SBOM_DEP_VERSIONS      Space-separated KEY=VERSION list forwarded to
+#                          gen-sbom as repeated --dep-version flags (KEY is
+#                          one of the known deps, e.g. liboqs / libz).  Use
+#                          this on build/packaging hosts that lack the dep's
+#                          pkg-config .pc file, where version detection would
+#                          otherwise fall back to NOASSERTION (SPDX) / an
+#                          omitted version+purl (CycloneDX).  Example:
+#                          make sbom SBOM_DEP_VERSIONS='liboqs=0.10.0 libz=1.3.1'.
 #   SBOM_LIB_OVERRIDE      Absolute path to the library artefact whose
 #                          SHA-256 should land in the SBOM, INSTEAD of
 #                          discovering one via a private staging install.
@@ -547,6 +555,7 @@ sbom:
 	    --lib "$$sbom_lib" \
 	    --dep-libz $(ENABLED_LIBZ) \
 	    --dep-liboqs $(ENABLED_LIBOQS) \
+	    $(foreach dv,$(SBOM_DEP_VERSIONS),--dep-version '$(dv)') \
 	    --cdx-out $(abs_builddir)/$(SBOM_CDX) \
 	    --spdx-out $(abs_builddir)/$(SBOM_SPDX); \
 	$(PYSPDXTOOLS) --infile $(abs_builddir)/$(SBOM_SPDX) \

doc/SBOM.md

@@ -498,7 +498,15 @@ its `.pc` file is missing):
   prints a warning to stderr.
 
 For embedded / cross-compile builds without `pkg-config`, the standalone
-entry point exposes a `--dep-version libz=1.3.1` override (see § 1.2).
+entry point exposes a `--dep-version libz=1.3.1` override (see § 1.2). The
+autotools path exposes the same override through the `SBOM_DEP_VERSIONS`
+make variable (space-separated `KEY=VERSION` pairs), so a packaging host
+that lacks the dependency's `.pc` file can still record the version instead
+of `NOASSERTION`:
+
+```sh
+make sbom SBOM_DEP_VERSIONS='liboqs=0.10.0 libz=1.3.1'
+```
 
 ### 2.5 Validating the SBOM manually
 

scripts/gen-advisory

@@ -340,10 +340,8 @@ def product_model(adv, ov):
         modver = fips.get('module_version')
         fbucket = _STATE_TO_BUCKET.get(fips.get('status', 'exploitable'),
                                        'known_affected')
-        if fips.get('status') in _STATE_TO_BUCKET:
-            fbucket = _STATE_TO_BUCKET[fips['status']]
         affected_ranges = []
-        if fbucket != 'fixed' and modver:
+        if modver:
             affected_ranges.append({
                 'label': modver,
                 'cpe': cpe_for('wolfcrypt', modver),

scripts/gen-sbom

@@ -923,6 +923,21 @@ def _parse_dep_version_overrides(spec_list):
     return overrides
 
 
+def _resolve_dep_versions(enabled_deps, overrides):
+    """Resolve each enabled dependency's version exactly once, mutating and
+    returning `overrides` so both the CDX and SPDX emitters reuse the same
+    value instead of each re-invoking pkg-config.  Caching the result
+    (including None) means a later dep_version() lookup short-circuits on the
+    membership check rather than re-shelling to `pkg-config --modversion`, so
+    a default --with-libz --with-liboqs build calls pkg-config once per dep
+    (not once per dep per output format) and the two documents can never
+    disagree if pkg-config output were ever non-deterministic."""
+    for key in enabled_deps:
+        if key not in overrides:
+            overrides[key] = dep_version(key, overrides)
+    return overrides
+
+
 def main():
     parser = argparse.ArgumentParser(
         description='Generate CycloneDX and SPDX SBOMs for wolfssl. '
@@ -1061,6 +1076,10 @@ def main():
         if flag.lower() == 'yes'
     ]
     dep_version_overrides = _parse_dep_version_overrides(args.dep_version)
+    # Resolve each enabled dependency's version once, here, and feed the
+    # result to both the CDX and SPDX emitters via the overrides map (see
+    # _resolve_dep_versions for the once-per-dep pkg-config rationale).
+    _resolve_dep_versions(enabled_deps, dep_version_overrides)
 
     if args.license_override:
         license_id = args.license_override

scripts/test_gen_sbom.py

@@ -1253,6 +1253,58 @@ def test_parse_overrides_accepts_known_keys(self):
         self.assertEqual(out, {'libz': '1.3.1', 'liboqs': '0.10.0'})
 
 
+class TestResolveDepVersionsSingleShot(unittest.TestCase):
+    """Each enabled dependency's version must be resolved exactly once (in
+    main, via _resolve_dep_versions), not once per output format.  Without
+    the precompute, generate_cdx and generate_spdx each call dep_version()
+    independently, so a default --with-libz --with-liboqs build would shell
+    out to `pkg-config --modversion` four times (2 deps x CDX+SPDX) instead
+    of twice -- and the two documents could disagree if pkg-config were ever
+    non-deterministic.  These tests lock that single-resolution behaviour in."""
+
+    def test_pkgconfig_called_once_per_dep(self):
+        calls = []
+        original = gs.pkgconfig_version
+        try:
+            gs.pkgconfig_version = lambda pkg: (calls.append(pkg), '1.2.3')[1]
+            overrides = gs._resolve_dep_versions(['libz', 'liboqs'], {})
+            self.assertEqual(len(calls), 2)
+            self.assertEqual(overrides['libz'], '1.2.3')
+            self.assertEqual(overrides['liboqs'], '1.2.3')
+            # The emitters reuse the cached value: a later dep_version() for
+            # an already-resolved key must not re-invoke pkg-config.
+            gs.dep_version('libz', overrides)
+            gs.dep_version('liboqs', overrides)
+            self.assertEqual(len(calls), 2)
+        finally:
+            gs.pkgconfig_version = original
+
+    def test_user_override_skips_pkgconfig(self):
+        calls = []
+        original = gs.pkgconfig_version
+        try:
+            gs.pkgconfig_version = lambda pkg: (calls.append(pkg), '9.9.9')[1]
+            overrides = gs._resolve_dep_versions(['libz'], {'libz': '1.3.1'})
+            self.assertEqual(overrides['libz'], '1.3.1')
+            self.assertEqual(calls, [])
+        finally:
+            gs.pkgconfig_version = original
+
+    def test_none_is_cached_when_pkgconfig_missing(self):
+        calls = []
+        original = gs.pkgconfig_version
+        try:
+            gs.pkgconfig_version = lambda pkg: (calls.append(pkg), None)[1]
+            overrides = gs._resolve_dep_versions(['liboqs'], {})
+            self.assertIn('liboqs', overrides)
+            self.assertIsNone(overrides['liboqs'])
+            # A cached None must short-circuit later lookups too.
+            gs.dep_version('liboqs', overrides)
+            self.assertEqual(len(calls), 1)
+        finally:
+            gs.pkgconfig_version = original
+
+
 class TestCliMutualExclusion(unittest.TestCase):
     """The two entry-point shapes (autotools / standalone) must be
     mutually exclusive.  Mixing them would produce a hash whose