Skip to content

feat: add sbom Makefile target#414

Open
MarkAtwood wants to merge 2 commits into
wolfSSL:mainfrom
MarkAtwood:feat/add-sbom-make-target
Open

feat: add sbom Makefile target#414
MarkAtwood wants to merge 2 commits into
wolfSSL:mainfrom
MarkAtwood:feat/add-sbom-make-target

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jun 23, 2026

Copy link
Copy Markdown

Important

Blocked on wolfSSL/wolfssl#10343scripts/gen-sbom has not merged to wolfssl master yet. Do not merge this PR before #10343 lands. Until then the target fails with a clear error pointing at the missing script.

Summary

Adds make sbom, make install-sbom and make uninstall-sbom targets that produce CycloneDX and SPDX SBOM files for wolfHSM, at parity with the canonical scripts/sbom.am fragment and wolfTPM's CMake target.

  • Parses version from ChangeLog.md (e.g., # wolfHSM Release v1.4.0)
  • Enumerates sources from src/*.c (sorted for reproducible output)
  • Artifact hashing is done by gen-sbom --srcs (OmniBOR gitoid over the source list). --srcs was chosen over --lib deliberately: wolfHSM ships as source into embedded builds, so there is no canonical installed library to hash
  • Records the effective build configuration by preprocessing wolfhsm/wh_settings.h with the same defines/include path as the test build (WOLFHSM_CFG_DIR selects the config; point it at your port's wolfhsm_cfg.h/user_settings.h)
  • Lists wolfssl as a dependency component, version read from WOLFSSL_DIR; SBOM_DEP_WOLFSSL=no for WOLFHSM_CFG_NO_CRYPTO builds
  • Validates the SPDX output with pyspdxtools and converts it to tag-value; SBOM_VALIDATE=no skips both
  • Honors SOURCE_DATE_EPOCH (defaults to last git commit time) — repeated runs are byte-identical
  • install-sbom places files under $(PREFIX)/share/doc/wolfhsm (opt-in; plain make/make install never touches SBOM files)
  • No build system changes — pure Makefile target

Usage

make sbom WOLFSSL_DIR=/path/to/wolfssl/source
make install-sbom WOLFSSL_DIR=... [PREFIX=/usr/local] [DESTDIR=...]

Outputs: wolfhsm-<version>.cdx.json, wolfhsm-<version>.spdx.json, wolfhsm-<version>.spdx (tag-value)

Requirements

Test plan

  • make sbom WOLFSSL_DIR=... — CDX/SPDX/tag-value produced, correct version and source count
  • Config macros recorded (33 WOLFHSM_CFG_*/wolfSSL options with the default test config)
  • wolfssl dependency component present with correct version; absent with SBOM_DEP_WOLFSSL=no
  • Reproducibility: two consecutive runs byte-identical
  • SBOM_VALIDATE=no skips validation/tag-value; missing pyspdxtools fails with a clear error otherwise
  • install-sbom/uninstall-sbom round-trip under DESTDIR
  • make -n clean does not shell out (GNU make 3.81 parse regression check)

@MarkAtwood MarkAtwood requested review from Copilot and sameehj June 23, 2026 01:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds a make sbom target to generate CycloneDX and SPDX SBOM artifacts for wolfHSM using wolfSSL’s scripts/gen-sbom.

Changes:

  • Introduces an sbom Makefile target with checks for version parsing and WOLFSSL_DIR.
  • Gathers sources from src/*.c and passes compiler defines + metadata into gen-sbom.
  • Emits versioned wolfhsm-<version>.cdx.json and wolfhsm-<version>.spdx.json outputs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile Outdated
Comment thread Makefile Outdated
Comment thread Makefile
Comment thread Makefile Outdated
Comment thread Makefile Outdated

@bigbrett bigbrett left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running make sbom WOLFSSL_DIR=../wolfssl against the latest wolfSSL master I get the following error:

ERROR: ../wolfssl/scripts/gen-sbom not found.                                                                                                                                                 
       Use a wolfSSL tree that includes SBOM support.                                                                                                                                         
make: *** [Makefile:73: sbom] Error 1                       

Did this not merge into wolfSSL master yet? If so it shouldn't merge into wolfHSM.

Comment thread README.md Outdated
@bigbrett bigbrett assigned MarkAtwood and unassigned wolfSSL-Bot Jul 7, 2026
@jackctj117 jackctj117 self-requested a review July 10, 2026 16:42

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jackctj117 jackctj117 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Multi-Scan Review

Modes: review + review-securityOverall recommendation: COMMENT
Findings: 5 total — 5 posted, 0 skipped
5 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [Medium] [review] Default WOLFSSL_DIR is off by one level for the top-level MakefileMakefile:62
  • [Medium] [review+review-security] gen-sbom --options-h receives only compiler builtin macros, not wolfHSM/wolfSSL configMakefile:87-99
  • [Low] [review+review-security] VERSION shell-out runs on every make invocation, not just sbomMakefile:63
  • [Low] [review+review-security] Temp file uses hardcoded /tmp prefix, ignoring $TMPDIRMakefile:87
  • [Low] [review+review-security] README manual invocation diverges from the Makefile sbom targetREADME.md:37-44

Review generated by Skoll

Comment thread Makefile Outdated
Comment thread Makefile Outdated
Comment thread Makefile Outdated
Comment thread Makefile Outdated
Comment thread README.md
Comment thread Makefile Outdated
@MarkAtwood

Copy link
Copy Markdown
Author

@bigbrett Correct — gen-sbom hasn't merged to wolfssl master. It's in wolfssl PR wolfSSL/wolfssl#10343, which is still open, so no wolfssl release or master checkout has scripts/gen-sbom yet. The target can't create that file; what it can do is fail clearly. I updated the error to name the dependency and point you at setting WOLFSSL_DIR to a tree that has the script, and the README says the same. So the wolfHSM side is ready to use the moment #10343 lands; it just no-ops with a clear message until then. I did not vendor a copy of gen-sbom into wolfHSM. If you'd rather hold this PR until #10343 merges, flag it and I'll mark it blocked.

@MarkAtwood MarkAtwood force-pushed the feat/add-sbom-make-target branch from 4cef60f to d03b224 Compare July 14, 2026 22:42
@MarkAtwood

Copy link
Copy Markdown
Author

Force-pushed a cleanup: this branch was cut from a stale shallow base, which made ~7,800 lines of already-merged main content (armv8m-tz, hwkeystore, test files) appear as PR additions. Rebased onto current main; the PR now contains only the SBOM change: +133 in Makefile and README.

Verified on the rebased head: make sbom WOLFSSL_DIR=<wolfssl> WOLFHSM_CFG_DIR=test/config generates both artifacts (wolfhsm-1.4.0.cdx.json, wolfhsm-1.4.0.spdx.json) against wolfSSL PR #10343's gen-sbom.

@bigbrett @dgarske ready for re-review; your earlier comments on the unrelated files are moot.

@MarkAtwood MarkAtwood requested review from bigbrett and dgarske July 14, 2026 22:52
@MarkAtwood

Copy link
Copy Markdown
Author

Resolved the July 10 review threads: every fix discussed in them is carried in the rebuilt branch (d03b224 contains the cumulative Makefile/README state, verified end-to-end with make sbom). The conversation history references pre-rebuild commit ids; the content is all here.

@sameehj

sameehj commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

@MarkAtwood

direction is right, but the target should reuse gen-sbom the way the rest of the family does

Thanks Mark. The overall approach — a dedicated make sbom target that calls wolfSSL's gen-sbom — is the correct call for wolfHSM, since wolfHSM is a hand-written Makefile and can't include scripts/sbom.am like the autotools repos (wolfMQTT, wolfProvider, wolfCLU, wolfEngine, wolfssh, wolfscep). We already have a precedent for a non-automake reimplementation: wolfTPM's CMake sbom target, which was explicitly brought to parity with the canonical scripts/sbom.am. That's the bar this PR should hit.

Right now #414 diverges from the canonical generator in a few ways, which is what the review threads are circling:

It rolls its own source hash (SHA-256 fingerprint of src/*.c) instead of using gen-sbom's own input. gen-sbom already supports --lib (hash the built library from a staged install) and --srcs/--srcs-file (OmniBOR gitoid for embedded/source builds). Using a private hash means the wolfHSM SBOM checksum isn't comparable to the other products and doesn't describe the shipped artifact. Please pick --lib or --srcs deliberately and note which in the PR.

--options-h only receives compiler builtins, not wolfHSM/wolfSSL config macros (jackctj117's finding). The point of --options-h is to record the configured feature macros, so this needs the real CC -dM -E dump with wolfHSM's actual CPPFLAGS/CFLAGS + config header.

Missing parity items the fragment/CMake target have: install-sbom / uninstall-sbom, SOURCE_DATE_EPOCH for reproducible output, and the SPDX validation / tag-value step.

Sequencing: as bigbrett and dgarske noted, gen-sbom is still on wolfSSL PR #10343 and hasn't merged to master. The clear-error no-op behavior is fine, but this PR shouldn't merge before #10343 lands — let's mark it blocked-on that.

Net: keep the bespoke-Makefile approach, but rework it to parity with wolfTPM's target (drive everything through gen-sbom, capture real macros, add the install/reproducibility bits), and gate the merge on #10343. Happy to pair on the diff.

- Validate SPDX with pyspdxtools and emit tag-value wolfhsm-<ver>.spdx;
  SBOM_VALIDATE=no skips both
- Honor SOURCE_DATE_EPOCH, defaulting to last git commit time, so
  repeated runs are byte-identical
- Add opt-in install-sbom / uninstall-sbom under
  $(PREFIX)/share/doc/wolfhsm
- List wolfssl as a dependency component with version read from
  WOLFSSL_DIR; SBOM_DEP_WOLFSSL=no for WOLFHSM_CFG_NO_CRYPTO builds
@MarkAtwood

Copy link
Copy Markdown
Author

@sameehj parity items are in as of 073f4eb:

  • SPDX validation + tag-value: pyspdxtools validates the SPDX output and emits wolfhsm-<ver>.spdx. SBOM_VALIDATE=no skips both (same gate name #10343 is growing for the Gentoo case).
  • SOURCE_DATE_EPOCH: honored, defaults to last git commit time. Verified two consecutive runs produce byte-identical output.
  • install-sbom / uninstall-sbom: opt-in, $(PREFIX)/share/doc/wolfhsm (PREFIX=/usr/local default, DESTDIR honored). No uninstall-hook chaining because the root Makefile has no install/uninstall targets to hook.
  • Dependency component: the SBOM now lists wolfssl with the version read from WOLFSSL_DIR (--dep-wolfssl); SBOM_DEP_WOLFSSL=no for WOLFHSM_CFG_NO_CRYPTO builds.

On the artifact hash: the July 14 rebuild already dropped the private fingerprint — hashing goes through gen-sbom --srcs (sorted src/*.c, OmniBOR gitoid). That over --lib is deliberate: wolfHSM ships as source into embedded builds, so there is no canonical installed library to hash. Now stated in the PR description.

Config macros: also in since the rebuild — the recipe preprocesses wolfhsm/wh_settings.h with the same defines/include path as the test build, so the SBOM records effective WOLFHSM_CFG_* + wolfSSL options (33 config macros with the default test config), not compiler builtins.

Sequencing: agreed. Marked blocked on wolfSSL/wolfssl#10343 at the top of the description — @bigbrett that also answers your question: gen-sbom is still on that PR, this one must not merge before it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants