feat(gen-sbom): add embedded / custom-builder SBOM path#10753
Closed
MarkAtwood wants to merge 5 commits into
Closed
feat(gen-sbom): add embedded / custom-builder SBOM path#10753MarkAtwood wants to merge 5 commits into
MarkAtwood wants to merge 5 commits into
Conversation
Adds `make sbom` producing CycloneDX 1.6 and SPDX 2.3 SBOMs for EU Cyber Resilience Act compliance. Generation is handled by scripts/gen-sbom (Python 3, stdlib only). The script stages a `make install`, hashes the installed libwolfssl.so, generates both formats, then removes the staging directory. pyspdxtools validates the SPDX JSON and converts it to tag-value (.spdx). Output files (all versioned): wolfssl-<ver>.cdx.json CycloneDX 1.6 JSON wolfssl-<ver>.spdx.json SPDX 2.3 JSON wolfssl-<ver>.spdx SPDX 2.3 tag-value SBOMs include: SHA-256 of the library, CPE, PURL, license detected from the LICENSING file, copyright, and build configuration (options.h defines as CDX properties). Optional external dependencies (liboqs, libxmss, liblms, libz) appear as separate components when enabled. Version detection for deps without pkg-config (libxmss, liblms) uses `git describe --tags --always` on the source tree root. configure.ac changes: - AC_SUBST ENABLED_LIBOQS/LIBXMSS/LIBLMS/LIBZ so the dep flags set during ./configure are visible in the generated Makefile - AC_SUBST LIBLMS_ROOT (XMSS_ROOT was already exported by wolfssl) so gen-sbom can locate the source tree for git describe - AC_PATH_PROG([GIT]) to find git robustly at configure time rather than relying on PATH at make sbom time - Initialize LIBLMS_ROOT="" before the liblms detection block, mirroring how XMSS_ROOT is defaulted in the disabled branch Also adds: doc/SBOM.md, INSTALL section 21, README one-liner, install-sbom / uninstall-sbom targets.
Add --user-settings (pcpp/CC -dM -E), --srcs, --srcs-file, and --no-artifact-hash to gen-sbom for IAR/Keil/MPLAB builds. Makes --lib and --options-h optional; validate combinations. Document the three build paths in doc/SBOM.md.
MarkAtwood
requested review from
Copilot and
sameehj
and removed request for
Copilot
Open
4 tasks
Contributor
Author
pcpp 1.30 Preprocessor.parse() uses source= not filename= for the filename parameter. Wrong keyword caused TypeError crash when taking the pcpp code path.
Cherry-picked from feat/sbom-cmake (ff31dbb). Adds cmake custom targets for SBOM generation alongside the existing autotools/embedded paths. Stub targets fire a clear error when python3 or pyspdxtools are missing instead of silently failing.
Contributor
|
#10343 already has the embedded --user-settings/--srcs path on a more hardened, OmniBOR-gitoid base, and the only net-new bits here (--srcs-file, --no-artifact-hash, hash-source) are being ported there directly. |
Contributor
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on
Summary
Adds support for generating wolfSSL SBOMs from IAR, Keil, MPLAB, and other custom/embedded build systems that configure wolfSSL via
user_settings.hrather than autotools or cmake.New arguments
Build configuration source (one of
--options-h/--user-settingsrequired):--user-settings PATHuser_settings.h; preprocessed to extract enabled features--user-settings-include DIR--user-settings-define MACROArtifact hash source (at least one required):
--srcs FILE …--srcs-file PATH#lines ignored--no-artifact-hash--liband--options-hremain fully supported (autotools/cmake path unchanged).Preprocessor strategy for
--user-settingspip install pcpp): pure Python, host-independent — preferred for cross-compilationCC -dM -Efallback: setCC=arm-none-eabi-gccfor cross buildsSource file combined hash
--srcs/--srcs-filecomputes SHA-256 per file, sorts by path, then SHA-256s the manifest — deterministic regardless of argument order. Recorded aswolfssl:sbom:hash-source=srcs.--no-artifact-hashRecords a 64-zero placeholder and a
wolfssl:sbom:no-artifact-hash-noteproperty directing integrators to contact wolfSSL. Use only when neither a compiled library nor a source list is accessible.Documentation
doc/SBOM.mdupdated with a "Build System Integration" section covering all three paths with worked examples.Bug fixes in this update
pcpp.Preprocessor.parse()keyword arg (f2a77c56e): called asparse(..., filename=path)but pcpp 1.30 usessource=for that parameter. The pcpp path crashed on every invocation withTypeError. Fixed tosource=path.Note on cmake target cherry-pick
37630ea84cherry-picks thesbom/install-sbom/uninstall-sbomcmake targets fromfeat/sbom-cmake(#10752) onto this branch. This was done so the CRA Kit cmake mode (CRA_SBOM_MODE=cmake) can be tested end-to-end against this branch without requiring #10752 to be merged first. If #10752 merges before this PR, the cherry-pick becomes a no-op at merge time. Reviewers: the cmake target content is identical to what is reviewed in #10752 — no need to re-review it here.Test plan
--user-settings + --srcs: output haswolfssl:sbom:hash-source=srcs, digest matches, pyspdxtools validates--user-settings + --srcs-file: same digest as--srcsfor identical file list; blank/comment/duplicate lines handled--user-settings + --no-artifact-hash: 64-zero hash, contact note in properties, pyspdxtools validates--options-h + --lib(existing autotools/cmake path): unchanged output,hash-source=lib--options-h + --user-settings→ clear error, exit non-zero--no-artifact-hash + --srcs→ clear error, exit non-zerosrcsandnone(no-artifact-hash) SPDX outputs