feat: add make sbom target#557
Conversation
Add top-level AGENTS.md with project overview, build quick start, and contribution rules. Detailed platform build guides in AI/ for Linux/macOS, Windows, and embedded targets. Update .gitignore to ignore common AI tool local files.
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Note
Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.
Adds new autotools make sbom workflow to generate and install SBOM artifacts (CycloneDX + SPDX) for CRA compliance, plus updates repo guidance/docs.
Changes:
- Add SBOM-related
make sbom,make install-sbom,make uninstall-sbomtargets (staging install, callinggen-sbom, validating SPDX). - Extend
configure.acto expose libtool version components and discover SBOM tooling (python3,pyspdxtools,git). - Add/update contributor and build documentation under
AI/, plus refreshAGENTS.mdand ignore common AI tool local files.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| configure.ac | Exposes version components + finds SBOM tool executables for substitution into make rules |
| Makefile.am | Implements SBOM generation/validation and install/uninstall targets |
| AI/contributing.md | New contribution guidelines (workflow, CI rules, testing) |
| AI/build-windows.md | New Windows build guide |
| AI/build-linux.md | New Linux/macOS build guide |
| AI/build-embedded.md | New embedded/RTOS build guide |
| AGENTS.md | Replaces prior agent guidance with repo overview + links to new docs |
| .gitignore | Ignores common AI-tool local configuration directories/files |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Hi @MarkAtwood - Please address the Copilot feedback first |
Replace the inline SBOM recipe with the shared, product-agnostic scripts/sbom.am used across the wolfSSL autotools stack. wolfMQTT declares what it is (a libwolfmqtt library that links wolfSSL for TLS) and includes the fragment, gaining reproducible output, license/version pinning, broader artifact discovery, wolfSSL dependency recording, and an install/uninstall hook. Because wolfMQTT keeps its feature macros in its own generated wolfmqtt/options.h (no config.h defines), the fragment gains an optional SBOM_OPTIONS_H so gen-sbom reads that header. Tidy configure.ac and add a SBOM CI workflow. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
embhorn
left a comment
There was a problem hiding this comment.
Skoll Code Review
Scan type: review
Overall recommendation: REQUEST_CHANGES
Findings: 8 total — 8 posted, 0 skipped
8 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [High] CMake sbom target uses shell redirection
>which does not work in add_custom_target COMMAND (VERBATIM) —CMakeLists.txt:516-517 - [Medium] CMake sbom target uses
cmake -E rmwhich requires CMake 3.17 but project minimum is 3.16 —CMakeLists.txt:535-536 - [Medium] CMake sbom target hardcodes libwolfmqtt.so, breaking static / macOS / Windows builds —
CMakeLists.txt:525 - [Medium] New Linux build doc recommends non-existent autotools flags --with-wolfssl / --with-wolfssl-tree —
AI/build-linux.md:46-49 - [Medium] AGENTS.md states GPLv2, contradicting the GPLv3-or-later licensing used everywhere else (including this PR) —
AGENTS.md:5 - [Medium] New CMake sbom target has no CI coverage —
.github/workflows/sbom.yml:88-163 - [Low] CMake and autotools feed different inputs to gen-sbom --options-h, undercutting the 'byte-comparable SBOM' claim —
CMakeLists.txt:502-517 - [Low] pull_request branches filter
'*'misses slash-containing base branches —.github/workflows/sbom.yml:6-7
Review generated by Skoll
embhorn
left a comment
There was a problem hiding this comment.
Hi @MarkAtwood
Very cool! I was able to generate the SBOM files.
Please review the skoll comments and then it should be ready.
## Document Information
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: wolfmqtt-2.0.0
DocumentNamespace: urn:uuid:d3437452-0edc-5202-a2e4-3089e486b663
## Creation Information
Creator: Organization: wolfSSL Inc.
Creator: Tool: wolfssl-sbom-gen-1.2
Created: 2026-07-10T10:15:17Z
## Package Information
PackageName: wolfmqtt
SPDXID: SPDXRef-Package-wolfmqtt
PackageVersion: 2.0.0
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfmqtt
FilesAnalyzed: false
PackageChecksum: SHA256: d6a8b093aba36f2e1abb6c2ed429df9ed113e4dea493ac21764ccfb99ad9d4ef
PackageLicenseConcluded: GPL-3.0-or-later
PackageLicenseDeclared: GPL-3.0-or-later
PackageCopyrightText: Copyright (C) 2006-2026 wolfSSL Inc.
PackageComment: Build configuration defines: ENABLE_MQTT_TLS, SIZEOF_LONG, WOLFMQTT_BROKER, WOLFMQTT_DISCONNECT_CB, WOLFMQTT_MAX_QOS, WOLFMQTT_PROPERTY_CB, WOLFMQTT_V5
ExternalRef: SECURITY cpe23Type cpe:2.3:a:wolfssl:wolfmqtt:2.0.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfmqtt@v2.0.0
ExternalRef: SECURITY advisory https://github.com/wolfSSL/wolfmqtt/security/advisories
## Package Information
PackageName: wolfssl
SPDXID: SPDXRef-Package-wolfssl
PackageVersion: 5.9.2
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfssl
FilesAnalyzed: false
PackageLicenseConcluded: GPL-3.0-only
PackageLicenseDeclared: GPL-3.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfssl@v5.9.2
## Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-wolfmqtt
Relationship: SPDXRef-Package-wolfmqtt DEPENDS_ON SPDXRef-Package-wolfssl
## Annotations
Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-kind=library-binary
Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-source=lib
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingwolfmqtt/options.hto gen-sbom for the options snapshot (both build systems feed the same file)gen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```
Outputs:
wolfmqtt-<version>.cdx.json,wolfmqtt-<version>.spdx.json,wolfmqtt-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolfmqtt-*.spdx.jsonpasses validationCMake support
The same SBOM workflow is available for cmake builds via a
sbomcustom target.cmake -B build -DWOLFSSL_DIR=/path/to/wolfssl/source . cmake --build build cmake --build build --target sbomThe cmake target mirrors the autotools one:
wolfmqtt/version.h(notproject(VERSION)) so both build systems emit the same version.cmake --installto hash the installedlibwolfmqtt.so.options.hto gen-sbom directly (same input as the autotools path).pyspdxtools.WOLFSSL_DIR,python3, andpyspdxtoolsare checked at configure time (fatal error if missing) so problems surface before building.Outputs (in the build directory):
wolfmqtt-<version>.cdx.json,wolfmqtt-<version>.spdx.json,wolfmqtt-<version>.spdx