Skip to content

feat: add make sbom / install-sbom / uninstall-sbom targets#410

Open
MarkAtwood wants to merge 4 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-make-sbom
Open

feat: add make sbom / install-sbom / uninstall-sbom targets#410
MarkAtwood wants to merge 4 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-make-sbom

Conversation

@MarkAtwood

Copy link
Copy Markdown

Summary

  • Adds make sbom, make install-sbom, and make uninstall-sbom targets to wolfProvider's autotools build for EU CRA compliance evidence (CycloneDX 1.6 + SPDX 2.3 output)
  • Adds AC_CHECK_PROG checks for python3 and pyspdxtools in configure.ac

Usage

make sbom WOLFSSL_DIR=/path/to/wolfssl
# produces: wolfprov-1.1.1.cdx.json  wolfprov-1.1.1.spdx.json  wolfprov-1.1.1.spdx
pyspdxtools --infile wolfprov-1.1.1.spdx.json   # must pass

make install-sbom   # installs to $(datadir)/doc/wolfprov/
make uninstall-sbom

WOLFSSL_DIR must point to a wolfssl checkout containing scripts/gen-sbom (branch feat/sbom-embedded, or master once wolfSSL/wolfssl#10343 merges).

Notes

  • Product name is wolfprov throughout (matches AC_INIT and lib_LTLIBRARIES), not wolfprovider
  • No generated options.h; uses installed wolfssl's options.h via $(WOLFSSL_INCLUDEDIR)/wolfssl/options.h. WOLFSSL_DIR defaults to $(WOLFSSL_INSTALL_DIR) (set by --with-wolfssl= at configure time)
  • wolfProvider's libtool default SONAME is libwolfprov.so.0.0.0 (no -version-info set) — --lib path uses this literal, not the package version 1.1.1
  • Known limitation: if wolfssl was found via pkg-config rather than --with-wolfssl, WOLFSSL_INSTALL_DIR may be malformed; pass WOLFSSL_DIR= explicitly in that case

Copilot AI review requested due to automatic review settings June 23, 2026 22:35
@MarkAtwood MarkAtwood requested a review from sameehj June 23, 2026 22:36

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds SBOM generation and install/uninstall targets to the autotools build so wolfProvider can emit CycloneDX 1.6 and SPDX 2.3 artifacts (via wolfSSL’s gen-sbom script), plus configure-time discovery of required tooling.

Changes:

  • Add make sbom, make install-sbom, and make uninstall-sbom targets that stage-install the built artifacts and generate CycloneDX/SPDX outputs.
  • Add AC_CHECK_PROG checks for python3 and pyspdxtools in configure.ac.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
Makefile.am Adds SBOM generation and install/uninstall targets and related variables.
configure.ac Adds checks for python3 and pyspdxtools availability.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
Adds CycloneDX + SPDX SBOM generation via wolfssl's gen-sbom script.
Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl

wolfProvider has no generated options.h; uses installed wolfssl's
options.h. WOLFSSL_DIR defaults to WOLFSSL_INSTALL_DIR. SONAME is
libwolfprov.so.0.0.0 (libtool default, no version-info set).
@MarkAtwood MarkAtwood force-pushed the feat/add-make-sbom branch from a93e1f6 to 8db5499 Compare June 29, 2026 19:18
@MarkAtwood MarkAtwood assigned wolfSSL-Bot and unassigned MarkAtwood Jul 6, 2026
Replace the inline SBOM recipe with the shared, product-agnostic
scripts/sbom.am used across the wolfSSL autotools stack. wolfProvider
just declares itself (a libwolfprov shared library that links both
wolfSSL and OpenSSL) and includes the fragment, gaining reproducible
output, license/version pinning, SPDX validation, dependency recording
(wolfssl + openssl), and an install/uninstall hook. Switch configure to
AC_PATH_PROG + AC_SUBST, expand the README, and add a SBOM CI workflow.

Signed-off-by: Sameeh Jubran <sameeh.j@gmail.com>

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped

Posted findings

  • [High] SBOM version lookup breaks clean out-of-tree builds and overrides Automake VERSIONMakefile.am:60-71
  • [Medium] pyspdxtools probe is never enforced by the sbom targetconfigure.ac:30, Makefile.am:80-83

Review generated by Skoll.

Comment thread Makefile.am
Comment thread configure.ac
@aidangarske aidangarske assigned MarkAtwood and unassigned wolfSSL-Bot Jul 9, 2026
@MarkAtwood

Copy link
Copy Markdown
Author

Both Skoll findings are against code that isn't in this PR (verified against the current head):

  • "VERSION grep at Makefile.am:60" — line 60 is a comment. There is no VERSION = assignment and no include/wolfprovider/version.h grep anywhere in the diff. SBOM filenames use $(PACKAGE_VERSION) (see scripts/sbom.am), so the "empty version / overrides Automake VERSION" symptom can't occur. The only version.h reads in the PR are the gated wolfSSL dependency version, a separate variable.

  • "pyspdxtools probe never enforced" — the recipe enforces it before gen-sbom runs: scripts/sbom.am:95 has @test -n "$(PYSPDXTOOLS)" || { echo "ERROR: 'pyspdxtools' not found ..."; exit 1; }.

The recipe was refactored into the shared scripts/sbom.am (byte-identical to the wolfssh copy); the flagged lines predate that refactor. CI is green. Requesting a re-review / dismissal of the stale change-request.

@MarkAtwood

Copy link
Copy Markdown
Author

Detailed verification — both Skoll findings are against code that isn't in this PR

Checked two ways against the reviewed head 611ccd038f14663e74e8225eb8fe821ff8290293: statically on a fresh clone, and empirically via this PR's own make sbom CI. Neither finding reproduces.

Finding 1 — "VERSION grep at Makefile.am:60 overrides Automake VERSION"

  • No VERSION = … assignment exists in any Makefile.am, *.am, or configure.ac. grep -rnE '^[[:space:]]*VERSION[[:space:]]*[:]?=' over a clean clone of the head returns nothing.

  • The only references to include/wolfprovider/version.h are benign: configure.ac:211 (an AC_CONFIG_FILES output generated from version.h.in) and include/include.am:7 (header install). Neither greps a version for the SBOM.

  • SBOM output names use $(PACKAGE_VERSION), not $(VERSION):

    • scripts/sbom.am:52-54SBOM_CDX = $(SBOM_PKGNAME)-$(PACKAGE_VERSION).cdx.json (and .spdx.json, .spdx)
    • scripts/sbom.am:172gen-sbom is passed --version $(PACKAGE_VERSION)

    PACKAGE_VERSION is set by AC_INIT, so it cannot be empty — the wolfprov-.spdx symptom described in the finding cannot occur.

  • Makefile.am:60 is a comment line (# … make sbom WOLFSSL_DIR=/path/to/wolfssl.), not a VERSION assignment.

Finding 2 — "pyspdxtools probe never enforced by the sbom target"

  • It is enforced before the generator runs: scripts/sbom.am:95@test -n "$(PYSPDXTOOLS)" || { echo "ERROR: 'pyspdxtools' not found (pip install spdx-tools)."; exit 1; }
  • And it is used: scripts/sbom.am:182$(PYSPDXTOOLS) --infile $(SBOM_SPDX) --outfile $(SBOM_SPDX_TV) (SPDX → tag-value).

Empirical — make sbom builds and passes on this exact SHA

The SBOM Test workflow (run https://github.com/wolfSSL/wolfProvider/actions/runs/29008558830) built the full openssl + wolfssl + wolfprovider stack from source and ran make sbom on 611ccd038. Every step passed, including:

  • Generate SBOMmake sbom ran end-to-end
  • Outputs exist and SPDX validatespyspdxtools --infile validated the generated SPDX
  • CycloneDX identity and licence — asserts a versioned purl (pkg:github/wolfSSL/wolfprovider@…) and GPL-3.0-or-later
  • Reproducible across two runs, wolfssl / openssl recorded as dependencies

If the version were empty or pyspdxtools weren't wired, those steps would fail — they pass.

Both findings are incorrect against the current head. CI is green; requesting the change-request be dismissed so this can proceed.

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped

Posted findings

  • [High] SBOM option capture omits configured compiler definesscripts/sbom.am:129-131
  • [Low] SBOM workflow executes mutable external gen-sbom ref.github/workflows/sbom.yml:42-47

Review generated by Skoll.

Comment thread scripts/sbom.am

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sameehj or @MarkAtwood please see feedback #410 (review)

The SBOM define capture only preprocessed with AM_CPPFLAGS/CPPFLAGS, so
build-defining options placed in AM_CFLAGS (-DWOLFPROV_DEBUG,
-DWP_HAVE_SEED_SRC, etc.) and passed via CFLAGS were omitted from the
SBOM options, understating the CRA evidence. Add $(AM_CFLAGS) $(CFLAGS)
to the -dM -E pass and add a CI step that configures --enable-debug and
asserts WOLFPROV_DEBUG appears in the generated SBOM.

Pin the sbom workflow's gen-sbom checkout to an immutable commit SHA
(head of wolfSSL/wolfssl#10343) instead of a mutable PR ref.
@MarkAtwood

Copy link
Copy Markdown
Author

On the second finding (mutable gen-sbom ref in the workflow): pinned. The Checkout wolfssl (gen-sbom source) step and the workflow_dispatch default now fetch the immutable commit SHA 0a32b47b962aa626820f3cc2af5ee32ab348924a (current head of wolfSSL/wolfssl#10343) instead of refs/pull/10343/head, so a force-push can't silently change the gen-sbom CI runs. A TODO notes this moves to the wolfssl release/master copy once #10343 merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants