Skip to content

feat: add make sbom target#557

Open
MarkAtwood wants to merge 7 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target
Open

feat: add make sbom target#557
MarkAtwood wants to merge 7 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jun 23, 2026

Copy link
Copy Markdown

Summary

Adds make sbom, make install-sbom, and make uninstall-sbom targets to the autotools build.

  • Stages a temporary install to extract the built .so for hashing
  • Passes the generated wolfmqtt/options.h to gen-sbom for the options snapshot (both build systems feed the same file)
  • Calls gen-sbom (from wolfssl scripts/gen-sbom) to produce CycloneDX and SPDX outputs
  • Validates SPDX with pyspdxtools

Usage

```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```

Outputs: wolfmqtt-<version>.cdx.json, wolfmqtt-<version>.spdx.json, wolfmqtt-<version>.spdx

Requirements

  • WOLFSSL_DIR must point to a wolfssl source tree containing scripts/gen-sbom (available on the feat/sbom-embedded branch of wolfssl)
  • python3 and pip install spdx-tools on the build host

Test plan

  • ./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...
  • Verify three output files are produced
  • pyspdxtools --infile wolfmqtt-*.spdx.json passes validation

CMake support

The same SBOM workflow is available for cmake builds via a sbom custom target.

cmake -B build -DWOLFSSL_DIR=/path/to/wolfssl/source .
cmake --build build
cmake --build build --target sbom

The cmake target mirrors the autotools one:

  • Version is read from wolfmqtt/version.h (not project(VERSION)) so both build systems emit the same version.
  • Stages a cmake --install to hash the installed libwolfmqtt.so.
  • Passes the generated options.h to gen-sbom directly (same input as the autotools path).
  • Validates SPDX with pyspdxtools.
  • WOLFSSL_DIR, python3, and pyspdxtools are checked at configure time (fatal error if missing) so problems surface before building.

Outputs (in the build directory): wolfmqtt-<version>.cdx.json, wolfmqtt-<version>.spdx.json, wolfmqtt-<version>.spdx

Add top-level AGENTS.md with project overview, build quick start,
and contribution rules. Detailed platform build guides in AI/ for
Linux/macOS, Windows, and embedded targets.

Update .gitignore to ignore common AI tool local files.
Adds sbom, install-sbom, and uninstall-sbom targets.
Runs gen-sbom to produce CDX and SPDX outputs.
Requires WOLFSSL_DIR pointing to a wolfssl tree with
the feat/sbom-embedded branch (includes gen-sbom).
@MarkAtwood MarkAtwood requested review from Copilot and sameehj June 23, 2026 01:39

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds new autotools make sbom workflow to generate and install SBOM artifacts (CycloneDX + SPDX) for CRA compliance, plus updates repo guidance/docs.

Changes:

  • Add SBOM-related make sbom, make install-sbom, make uninstall-sbom targets (staging install, calling gen-sbom, validating SPDX).
  • Extend configure.ac to expose libtool version components and discover SBOM tooling (python3, pyspdxtools, git).
  • Add/update contributor and build documentation under AI/, plus refresh AGENTS.md and ignore common AI tool local files.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
configure.ac Exposes version components + finds SBOM tool executables for substitution into make rules
Makefile.am Implements SBOM generation/validation and install/uninstall targets
AI/contributing.md New contribution guidelines (workflow, CI rules, testing)
AI/build-windows.md New Windows build guide
AI/build-linux.md New Linux/macOS build guide
AI/build-embedded.md New embedded/RTOS build guide
AGENTS.md Replaces prior agent guidance with repo overview + links to new docs
.gitignore Ignores common AI-tool local configuration directories/files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile.am Outdated
Comment thread configure.ac Outdated
Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
Comment thread Makefile.am Outdated
@embhorn embhorn assigned embhorn and unassigned wolfSSL-Bot Jul 7, 2026
@embhorn embhorn self-requested a review July 7, 2026 21:51
@embhorn

embhorn commented Jul 7, 2026

Copy link
Copy Markdown
Member

Hi @MarkAtwood - Please address the Copilot feedback first

Replace the inline SBOM recipe with the shared, product-agnostic
scripts/sbom.am used across the wolfSSL autotools stack. wolfMQTT
declares what it is (a libwolfmqtt library that links wolfSSL for TLS)
and includes the fragment, gaining reproducible output, license/version
pinning, broader artifact discovery, wolfSSL dependency recording, and
an install/uninstall hook. Because wolfMQTT keeps its feature macros in
its own generated wolfmqtt/options.h (no config.h defines), the fragment
gains an optional SBOM_OPTIONS_H so gen-sbom reads that header. Tidy
configure.ac and add a SBOM CI workflow.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

@embhorn embhorn left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: review
Overall recommendation: REQUEST_CHANGES
Findings: 8 total — 8 posted, 0 skipped
8 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [High] CMake sbom target uses shell redirection > which does not work in add_custom_target COMMAND (VERBATIM)CMakeLists.txt:516-517
  • [Medium] CMake sbom target uses cmake -E rm which requires CMake 3.17 but project minimum is 3.16CMakeLists.txt:535-536
  • [Medium] CMake sbom target hardcodes libwolfmqtt.so, breaking static / macOS / Windows buildsCMakeLists.txt:525
  • [Medium] New Linux build doc recommends non-existent autotools flags --with-wolfssl / --with-wolfssl-treeAI/build-linux.md:46-49
  • [Medium] AGENTS.md states GPLv2, contradicting the GPLv3-or-later licensing used everywhere else (including this PR)AGENTS.md:5
  • [Medium] New CMake sbom target has no CI coverage.github/workflows/sbom.yml:88-163
  • [Low] CMake and autotools feed different inputs to gen-sbom --options-h, undercutting the 'byte-comparable SBOM' claimCMakeLists.txt:502-517
  • [Low] pull_request branches filter '*' misses slash-containing base branches.github/workflows/sbom.yml:6-7

Review generated by Skoll

Comment thread CMakeLists.txt Outdated
Comment thread CMakeLists.txt Outdated
Comment thread CMakeLists.txt Outdated
Comment thread AI/build-linux.md Outdated
Comment thread AGENTS.md Outdated
Comment thread .github/workflows/sbom.yml
Comment thread CMakeLists.txt Outdated
Comment thread .github/workflows/sbom.yml

@embhorn embhorn left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @MarkAtwood

Very cool! I was able to generate the SBOM files.

Please review the skoll comments and then it should be ready.

## Document Information
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: wolfmqtt-2.0.0
DocumentNamespace: urn:uuid:d3437452-0edc-5202-a2e4-3089e486b663

## Creation Information
Creator: Organization: wolfSSL Inc.
Creator: Tool: wolfssl-sbom-gen-1.2
Created: 2026-07-10T10:15:17Z

## Package Information
PackageName: wolfmqtt
SPDXID: SPDXRef-Package-wolfmqtt
PackageVersion: 2.0.0
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfmqtt
FilesAnalyzed: false
PackageChecksum: SHA256: d6a8b093aba36f2e1abb6c2ed429df9ed113e4dea493ac21764ccfb99ad9d4ef
PackageLicenseConcluded: GPL-3.0-or-later
PackageLicenseDeclared: GPL-3.0-or-later
PackageCopyrightText: Copyright (C) 2006-2026 wolfSSL Inc.
PackageComment: Build configuration defines: ENABLE_MQTT_TLS, SIZEOF_LONG, WOLFMQTT_BROKER, WOLFMQTT_DISCONNECT_CB, WOLFMQTT_MAX_QOS, WOLFMQTT_PROPERTY_CB, WOLFMQTT_V5
ExternalRef: SECURITY cpe23Type cpe:2.3:a:wolfssl:wolfmqtt:2.0.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfmqtt@v2.0.0
ExternalRef: SECURITY advisory https://github.com/wolfSSL/wolfmqtt/security/advisories

## Package Information
PackageName: wolfssl
SPDXID: SPDXRef-Package-wolfssl
PackageVersion: 5.9.2
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfssl
FilesAnalyzed: false
PackageLicenseConcluded: GPL-3.0-only
PackageLicenseDeclared: GPL-3.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfssl@v5.9.2

## Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-wolfmqtt
Relationship: SPDXRef-Package-wolfmqtt DEPENDS_ON SPDXRef-Package-wolfssl

## Annotations
Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-kind=library-binary

Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-source=lib

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants