feat: add make sbom target#1050
Conversation
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Adds SBOM generation and install/uninstall targets to the autotools build, intended to produce CycloneDX + SPDX outputs and validate SPDX on the build host.
Changes:
- Add
make sbom,make install-sbom, andmake uninstall-sbomtargets plus related variables/cleanup inMakefile.am. - Extend
configure.acto discoverpython3/pyspdxtoolsand to break out libtool version-info components into separate substituted variables.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| Makefile.am | Adds SBOM generation/validation targets and output staging/cleanup rules. |
| configure.ac | Adds tool discovery for SBOM prerequisites and refactors libtool version-info variables. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Include AM_CPPFLAGS and config.h in the options snapshot so the configured feature set (WOLFSSH_SCP/SFTP/NO_WOLFSSH_SERVER/...) appears in the SBOM instead of being empty. - Discover static (.a), Mach-O (.dylib) and Windows (.dll/.lib) artifacts, not just a versioned .so. - Set SOURCE_DATE_EPOCH from the last git commit for reproducible output. - Clean staging tree and temp defines file via trap even on failure. - Record wolfssl as an SBOM dependency (--dep-wolfssl), version auto-detected from WOLFSSL_DIR/wolfssl/version.h. - configure.ac: detect git; drop unused version-info split + comment. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
There was a problem hiding this comment.
Tested make sbom end-to-end on macOS (--enable-all, gen-sbom from wolfssl feat/sbom-embedded, spdx-tools + pcpp installed): exits 0, all three outputs produced, the Mach-O .dylib discovery branch fires, the trap cleans up the staging tree and temp defines file, the configured feature macros (WOLFSSH_SFTP/SCP/CERTS/AGENT/SSHD, NO_INLINE, NDEBUG) now appear in the SBOM, and pyspdxtools re-validation passes clean. Two follow-ups below, none blocking.
Default SBOM_LICENSE_OVERRIDE to GPL-3.0-only so the SBOM records the correct license instead of NOASSERTION, and point the --dep-wolfssl note at wolfSSL/wolfssl#10343. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Move the make sbom / install-sbom / uninstall-sbom recipe out of Makefile.am into a reusable scripts/sbom.am fragment; Makefile.am now just declares the product facts (name, LICENSING, wolfssl dependency, GPL-3.0-only default) and includes it. Add a GitHub Actions workflow covering both SBOM paths: - autotools: build wolfSSL + wolfSSH, run make sbom, assert SPDX validity, CycloneDX identity, reproducibility, and the wolfssl dependency edge. - embedded: run gen-sbom against user_settings.h (via pcpp) + the wolfSSH source set, asserting the same identity/validity/reproducibility plus that user_settings.h options and the wolfssl dependency are captured. Both gracefully skip on a gen-sbom that predates the wolfSSL SBOM change. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Guard the SBOM_GEN wolfSSL fallback with $(if $(WOLFSSL_DIR),...) so an unset WOLFSSL_DIR leaves it empty (yielding the intended "set WOLFSSL_DIR" error) instead of resolving to an absolute /scripts/gen-sbom that could run an unrelated host script. Reword the fragment header to describe the actual gen-sbom resolution (vendored copy if present, else WOLFSSL_DIR) rather than claiming offline tarball builds that aren't wired up yet. Condition the README's wolfSSL-dependency statement on a sufficiently new gen-sbom to match the existing degradation note. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [High] Default SBOM license contradicts source license headers —
Makefile.am:98 - [Medium] SBOM workflow can pass without exercising the new target —
.github/workflows/sbom.yml:64-79
Review generated by Skoll.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
jackctj117
left a comment
There was a problem hiding this comment.
Skoll Multi-Scan Review
Modes: reviewOverall recommendation: COMMENT
Findings: 5 total — 5 posted, 0 skipped
4 finding(s) posted as inline comments (see file-level comments below)
1 finding(s) not tied to a diff line (full detail below)
One or more scans did not complete — the results below are partial.
Posted findings
- [Medium] [review] CI workflow pins wolfSSL to an unmerged PR ref for all events, including every pull_request —
.github/workflows/sbom.yml:3-13, 41-46 - [Low] [review] wolfssl version.h parse uses [ \t] which does not match a literal tab —
scripts/sbom.am:144-145 - [Low] [review] sbomdir hardcodes
$(datadir)/doc/$ (PACKAGE) instead of using $(docdir) —scripts/sbom.am:55 - [Low] [review] uninstall-hook removes SBOM files that plain make install never installs —
scripts/sbom.am:185-196
Findings not tied to a diff line
SBOM targets silently require GNU make; ?= and GNU-only make functions are undocumented
File: scripts/sbom.am:46-63, Makefile.am:98
Function: sbom
Severity: Medium
Category: question
The fragment relies on GNU make extensions: conditional assignment ?= (SBOM_ARTIFACT ?= lib, SBOM_LICENSE_OVERRIDE ?= GPL-3.0-or-later) and the GNU-only functions $(wildcard ...), $(if ...), $(firstword ...), and $(addprefix ...). ?= is not one of Automake's documented assignment operators (=, +=, :=); confirm autoreconf accepts it without error. Note CI only runs autoreconf/configure on the wolfSSH tree when gen-sbom is detected (the steps.gate.outputs.have == 'yes' gate), so a hard Automake failure would only surface when CI checks out a wolfssl ref carrying the script. Under a non-GNU make (e.g. BSD make), SBOM_GEN/SBOM_LIB_GLOBS evaluate to empty and make sbom fails with a misleading 'gen-sbom not found' / 'no artifact found' error rather than a clear 'GNU make required' message.
Recommendation: Confirm autoreconf accepts ?= on the toolchain versions you support, and document in the README/comment that the SBOM targets require GNU make. Optionally guard with a clearer error when GNU-make features are unavailable.
Referenced code: scripts/sbom.am:46-63, Makefile.am:98-100 (3 lines)
Review generated by Skoll
Sync the vendored fragment with the canonical wolfSSL copy: add $(AM_CFLAGS) $(CFLAGS) to the -dM -E build-options capture and make the config header path overridable via SBOM_CONFIG_H (default config.h) so the SBOM records the configured feature macros. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Re-sync scripts/sbom.am with the canonical wolfSSL copy ($(docdir) sbomdir, [[:space:]] version parse, GNU-make and uninstall-sbom docs) and widen the SBOM workflow pull_request filter to '**'. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingcc -dM -Efor the options snapshotgen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```
Outputs:
wolfssh-<version>.cdx.json,wolfssh-<version>.spdx.json,wolfssh-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolfssh-*.spdx.jsonpasses validation