Skip to content

feat(cmake): add sbom / install-sbom / uninstall-sbom targets#10752

Open
MarkAtwood wants to merge 2 commits into
wolfSSL:masterfrom
MarkAtwood:feat/sbom-cmake
Open

feat(cmake): add sbom / install-sbom / uninstall-sbom targets#10752
MarkAtwood wants to merge 2 commits into
wolfSSL:masterfrom
MarkAtwood:feat/sbom-cmake

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Depends on

#10343 (autotools make sbom baseline) — do not merge until #10343 lands.

Summary

  • Adds three CMake custom targets that mirror the autotools make sbom, make install-sbom, and make uninstall-sbom targets added in feat: SBOM generation and OmniBOR build provenance (CRA compliance) #10343.
  • cmake --build <dir> --target sbom generates CycloneDX 1.6 JSON and SPDX 2.3 JSON+tag-value in the build directory; fails clearly if python3 or pyspdxtools are missing.
  • cmake --build <dir> --target install-sbom copies the three files to <prefix>/<docdir>/wolfssl/; respects DESTDIR for staging installs.
  • cmake --build <dir> --target uninstall-sbom removes the installed files.
  • cmake/install-sbom.cmake and cmake/uninstall-sbom.cmake are new -P script files that read $ENV{DESTDIR} at execution time (not configure time).
  • Dep flags use generator expressions ($<IF:$<BOOL:${WOLFSSL_OQS}>,yes,no>) so the SBOM reflects the actual cmake build configuration.
  • libz is hardcoded no — CMake builds do not support libz yet (pre-existing gap, not introduced here).

Test plan

  • Out-of-source cmake build: cmake -B build && cmake --build build && cmake --build build --target sbom
  • Verify .cdx.json and .spdx.json appear in build/
  • cmake --build build --target install-sbom installs to <prefix>/share/doc/wolfssl/
  • DESTDIR=/tmp/staging cmake --build build --target install-sbom writes to /tmp/staging/<prefix>/share/doc/wolfssl/
  • cmake --build build --target uninstall-sbom removes the installed files
  • Missing python3: stub target prints clear error and exits non-zero

MarkAtwood and others added 2 commits April 28, 2026 13:36
@MarkAtwood
feat: add CRA SBOM generation (make sbom)
6d83dd0 
Adds `make sbom` producing CycloneDX 1.6 and SPDX 2.3 SBOMs
for EU Cyber Resilience Act compliance.

Generation is handled by scripts/gen-sbom (Python 3, stdlib only).
The script stages a `make install`, hashes the installed
libwolfssl.so, generates both formats, then removes the staging
directory. pyspdxtools validates the SPDX JSON and converts it
to tag-value (.spdx).

Output files (all versioned):
  wolfssl-<ver>.cdx.json   CycloneDX 1.6 JSON
  wolfssl-<ver>.spdx.json  SPDX 2.3 JSON
  wolfssl-<ver>.spdx       SPDX 2.3 tag-value

SBOMs include: SHA-256 of the library, CPE, PURL, license
detected from the LICENSING file, copyright, and build
configuration (options.h defines as CDX properties). Optional
external dependencies (liboqs, libxmss, liblms, libz) appear as
separate components when enabled.

Version detection for deps without pkg-config (libxmss, liblms)
uses `git describe --tags --always` on the source tree root.

configure.ac changes:
- AC_SUBST ENABLED_LIBOQS/LIBXMSS/LIBLMS/LIBZ so the dep flags
  set during ./configure are visible in the generated Makefile
- AC_SUBST LIBLMS_ROOT (XMSS_ROOT was already exported by
  wolfssl) so gen-sbom can locate the source tree for git describe
- AC_PATH_PROG([GIT]) to find git robustly at configure time
  rather than relying on PATH at make sbom time
- Initialize LIBLMS_ROOT="" before the liblms detection block,
  mirroring how XMSS_ROOT is defaulted in the disabled branch

Also adds: doc/SBOM.md, INSTALL section 21, README one-liner,
install-sbom / uninstall-sbom targets.
@MarkAtwood
build(cmake): add sbom/install-sbom/uninstall-sbom targets
ff31dbb 
Adds three custom targets equivalent to the autotools make sbom,
make install-sbom, and make uninstall-sbom targets added in this
branch.

gen-sbom already reads wolfssl/options.h which cmake generates via
cmake/options.h.in, so no changes to the script are required.

Uses $<TARGET_FILE:wolfssl> for the library path instead of a staging
install, which is cleaner and avoids the overhead of a full install
just to obtain the .so path for SHA-256 hashing.

DESTDIR is supported on install-sbom and uninstall-sbom via
cmake/install-sbom.cmake and cmake/uninstall-sbom.cmake, which read
$ENV{DESTDIR} at build time. This matches the autotools behaviour:
  DESTDIR=/staging cmake --build <dir> --target install-sbom

Stub targets with clear error messages are emitted at configure time
if python3 or pyspdxtools are not found, so cmake --build --target sbom
fails descriptively rather than with a cryptic empty-command error.

libz is hardcoded to --dep-libz no: LIBZ is a TODO in CMakeLists.txt
and cannot be enabled in cmake builds today.
@MarkAtwood MarkAtwood requested review from Copilot and sameehj June 22, 2026 20:02
@MarkAtwood MarkAtwood mentioned this pull request Jun 22, 2026
Closed
8 tasks
@MarkAtwood MarkAtwood mentioned this pull request Jun 22, 2026
Open
4 tasks
@MarkAtwood

MarkAtwood commented Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Waiting on #10343 to merge before this is ready to land. The diff is clean and self-contained but the base should be master only after the autotools baseline is in.

Copilot AI reviewed Jun 22, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds SBOM generation support to the CMake build (mirroring existing autotools targets) to produce CycloneDX 1.6 and SPDX 2.3 artifacts, plus install/uninstall helpers intended for CRA compliance workflows.

Changes:

  • Adds CMake custom targets: sbom, install-sbom, and uninstall-sbom, plus -P helper scripts to honor DESTDIR at execution time.
  • Introduces the Python SBOM generator (scripts/gen-sbom) and wires it into build systems.
  • Adds/updates documentation describing SBOM generation and artifacts.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
CMakeLists.txt Defines SBOM targets and tool detection; installs/uninstalls via cmake -P scripts.
cmake/install-sbom.cmake Installs generated SBOM artifacts, reading DESTDIR at build time.
cmake/uninstall-sbom.cmake Uninstalls SBOM artifacts, reading DESTDIR at build time.
scripts/gen-sbom Generates CycloneDX + SPDX JSON SBOMs; intended to be used by both build systems.
Makefile.am Adds autotools sbom / install-sbom / uninstall-sbom targets and cleanup.
configure.ac Detects python3, pyspdxtools, and git; plumbs dependency flags/roots to Makefile.
doc/SBOM.md Documents SBOM purpose, output artifacts, validation, and dependency version detection.
README.md Adds a brief SBOM/CRA section linking to detailed documentation.
INSTALL Adds an SBOM section describing prerequisites, usage, and install/uninstall behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread CMakeLists.txt
Comment on lines +3274 to +3276
find_program(WOLFSSL_SBOM_PYTHON3
NAMES python3
DOC "Python 3 interpreter for SBOM generation (scripts/gen-sbom)")
Comment thread CMakeLists.txt
Comment on lines +3385 to +3388
"-DWOLFSSL_VERSION=${PROJECT_VERSION}"
"-DWOLFSSL_INSTALL_DOCDIR=${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DOCDIR}"
-P "${CMAKE_CURRENT_SOURCE_DIR}/cmake/install-sbom.cmake"
COMMENT "Installing wolfSSL SBOM to ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DOCDIR}"
Comment thread CMakeLists.txt
Comment on lines +3400 to +3404
"-DWOLFSSL_VERSION=${PROJECT_VERSION}"
"-DWOLFSSL_INSTALL_DOCDIR=${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DOCDIR}"
-P "${CMAKE_CURRENT_SOURCE_DIR}/cmake/uninstall-sbom.cmake"
COMMENT
"Uninstalling wolfSSL SBOM from ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DOCDIR}"
Comment thread doc/SBOM.md
Comment on lines +8 to +18
## Quick Start

```sh
./configure
make
make sbom
```

This requires `python3` and `pyspdxtools` (`pip install spdx-tools`).
Both are detected by `configure`; `make sbom` fails with a clear error
message if either is missing.
Comment thread doc/SBOM.md
Comment on lines +34 to +41
## Installing the SBOM

```sh
make install-sbom # installs to $(datadir)/doc/wolfssl/
make uninstall-sbom # removes the installed files
```

The generated files are removed by `make clean`.
Comment thread README.md
Comment on lines +35 to +36
wolfSSL provides a Software Bill of Materials (SBOM) for EU Cyber Resilience
Act (CRA) compliance via `make sbom`. See `doc/SBOM.md` for details.
Comment thread INSTALL
Comment on lines +335 to +340
Usage:

$ ./configure
$ make
$ make sbom

Comment thread INSTALL
Comment on lines +350 to +356
To install the SBOM files to $(datadir)/doc/wolfssl/:

$ make install-sbom

To remove installed SBOM files:

$ make uninstall-sbom
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sameehj sameehj Awaiting requested review from sameehj

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MarkAtwood