feat: add make sbom target#1050
Conversation
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Adds SBOM generation and install/uninstall targets to the autotools build, intended to produce CycloneDX + SPDX outputs and validate SPDX on the build host.
Changes:
- Add
make sbom,make install-sbom, andmake uninstall-sbomtargets plus related variables/cleanup inMakefile.am. - Extend
configure.acto discoverpython3/pyspdxtoolsand to break out libtool version-info components into separate substituted variables.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| Makefile.am | Adds SBOM generation/validation targets and output staging/cleanup rules. |
| configure.ac | Adds tool discovery for SBOM prerequisites and refactors libtool version-info variables. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Include AM_CPPFLAGS and config.h in the options snapshot so the configured feature set (WOLFSSH_SCP/SFTP/NO_WOLFSSH_SERVER/...) appears in the SBOM instead of being empty. - Discover static (.a), Mach-O (.dylib) and Windows (.dll/.lib) artifacts, not just a versioned .so. - Set SOURCE_DATE_EPOCH from the last git commit for reproducible output. - Clean staging tree and temp defines file via trap even on failure. - Record wolfssl as an SBOM dependency (--dep-wolfssl), version auto-detected from WOLFSSL_DIR/wolfssl/version.h. - configure.ac: detect git; drop unused version-info split + comment. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
There was a problem hiding this comment.
Tested make sbom end-to-end on macOS (--enable-all, gen-sbom from wolfssl feat/sbom-embedded, spdx-tools + pcpp installed): exits 0, all three outputs produced, the Mach-O .dylib discovery branch fires, the trap cleans up the staging tree and temp defines file, the configured feature macros (WOLFSSH_SFTP/SCP/CERTS/AGENT/SSHD, NO_INLINE, NDEBUG) now appear in the SBOM, and pyspdxtools re-validation passes clean. Two follow-ups below, none blocking.
Default SBOM_LICENSE_OVERRIDE to GPL-3.0-only so the SBOM records the correct license instead of NOASSERTION, and point the --dep-wolfssl note at wolfSSL/wolfssl#10343. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Move the make sbom / install-sbom / uninstall-sbom recipe out of Makefile.am into a reusable scripts/sbom.am fragment; Makefile.am now just declares the product facts (name, LICENSING, wolfssl dependency, GPL-3.0-only default) and includes it. Add a GitHub Actions workflow covering both SBOM paths: - autotools: build wolfSSL + wolfSSH, run make sbom, assert SPDX validity, CycloneDX identity, reproducibility, and the wolfssl dependency edge. - embedded: run gen-sbom against user_settings.h (via pcpp) + the wolfSSH source set, asserting the same identity/validity/reproducibility plus that user_settings.h options and the wolfssl dependency are captured. Both gracefully skip on a gen-sbom that predates the wolfSSL SBOM change. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Guard the SBOM_GEN wolfSSL fallback with $(if $(WOLFSSL_DIR),...) so an unset WOLFSSL_DIR leaves it empty (yielding the intended "set WOLFSSL_DIR" error) instead of resolving to an absolute /scripts/gen-sbom that could run an unrelated host script. Reword the fragment header to describe the actual gen-sbom resolution (vendored copy if present, else WOLFSSL_DIR) rather than claiming offline tarball builds that aren't wired up yet. Condition the README's wolfSSL-dependency statement on a sufficiently new gen-sbom to match the existing degradation note. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [High] Default SBOM license contradicts source license headers —
Makefile.am:98 - [Medium] SBOM workflow can pass without exercising the new target —
.github/workflows/sbom.yml:64-79
Review generated by Skoll.
Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
jackctj117
left a comment
There was a problem hiding this comment.
Skoll Multi-Scan Review
Modes: reviewOverall recommendation: COMMENT
Findings: 5 total — 5 posted, 0 skipped
4 finding(s) posted as inline comments (see file-level comments below)
1 finding(s) not tied to a diff line (full detail below)
One or more scans did not complete — the results below are partial.
Posted findings
- [Medium] [review] CI workflow pins wolfSSL to an unmerged PR ref for all events, including every pull_request —
.github/workflows/sbom.yml:3-13, 41-46 - [Low] [review] wolfssl version.h parse uses [ \t] which does not match a literal tab —
scripts/sbom.am:144-145 - [Low] [review] sbomdir hardcodes
$(datadir)/doc/$ (PACKAGE) instead of using $(docdir) —scripts/sbom.am:55 - [Low] [review] uninstall-hook removes SBOM files that plain make install never installs —
scripts/sbom.am:185-196
Findings not tied to a diff line
SBOM targets silently require GNU make; ?= and GNU-only make functions are undocumented
File: scripts/sbom.am:46-63, Makefile.am:98
Function: sbom
Severity: Medium
Category: question
The fragment relies on GNU make extensions: conditional assignment ?= (SBOM_ARTIFACT ?= lib, SBOM_LICENSE_OVERRIDE ?= GPL-3.0-or-later) and the GNU-only functions $(wildcard ...), $(if ...), $(firstword ...), and $(addprefix ...). ?= is not one of Automake's documented assignment operators (=, +=, :=); confirm autoreconf accepts it without error. Note CI only runs autoreconf/configure on the wolfSSH tree when gen-sbom is detected (the steps.gate.outputs.have == 'yes' gate), so a hard Automake failure would only surface when CI checks out a wolfssl ref carrying the script. Under a non-GNU make (e.g. BSD make), SBOM_GEN/SBOM_LIB_GLOBS evaluate to empty and make sbom fails with a misleading 'gen-sbom not found' / 'no artifact found' error rather than a clear 'GNU make required' message.
Recommendation: Confirm autoreconf accepts ?= on the toolchain versions you support, and document in the README/comment that the SBOM targets require GNU make. Optionally guard with a clearer error when GNU-make features are unavailable.
Referenced code: scripts/sbom.am:46-63, Makefile.am:98-100 (3 lines)
Review generated by Skoll
Sync the vendored fragment with the canonical wolfSSL copy: add $(AM_CFLAGS) $(CFLAGS) to the -dM -E build-options capture and make the config header path overridable via SBOM_CONFIG_H (default config.h) so the SBOM records the configured feature macros. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Re-sync scripts/sbom.am with the canonical wolfSSL copy ($(docdir) sbomdir, [[:space:]] version parse, GNU-make and uninstall-sbom docs) and widen the SBOM workflow pull_request filter to '**'. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
ejohnstown
left a comment
There was a problem hiding this comment.
I guess my only issue is this PR depends on wolfSSL's PR 10343 to be merged first. The GitHub Action works without the PR merged, so that's OK. But someone may see the note about the make sbom and it not work if wolfSSH is released with this without the wolfSSL merge.
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingcc -dM -Efor the options snapshotgen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```
Outputs:
wolfssh-<version>.cdx.json,wolfssh-<version>.spdx.json,wolfssh-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolfssh-*.spdx.jsonpasses validation