feat: add make sbom / install-sbom / uninstall-sbom targets#410
feat: add make sbom / install-sbom / uninstall-sbom targets#410MarkAtwood wants to merge 4 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds SBOM generation and install/uninstall targets to the autotools build so wolfProvider can emit CycloneDX 1.6 and SPDX 2.3 artifacts (via wolfSSL’s gen-sbom script), plus configure-time discovery of required tooling.
Changes:
- Add
make sbom,make install-sbom, andmake uninstall-sbomtargets that stage-install the built artifacts and generate CycloneDX/SPDX outputs. - Add
AC_CHECK_PROGchecks forpython3andpyspdxtoolsinconfigure.ac.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| Makefile.am | Adds SBOM generation and install/uninstall targets and related variables. |
| configure.ac | Adds checks for python3 and pyspdxtools availability. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # --------------------------------------------------------------------------- | ||
| # SBOM generation (CycloneDX + SPDX) via wolfssl's gen-sbom script | ||
| # --------------------------------------------------------------------------- | ||
| WOLFSSL_DIR ?= $(WOLFSSL_INSTALL_DIR) |
| WOLFSSL_DIR ?= $(WOLFSSL_INSTALL_DIR) | ||
| WOLFSSL_INCLUDEDIR ?= $(WOLFSSL_DIR)/include | ||
| PRODUCT = wolfprov | ||
| VERSION = $(shell grep LIBWOLFPROV_VERSION_STRING $(srcdir)/include/wolfprovider/version.h 2>/dev/null | sed 's/.*"\(.*\)".*/\1/') |
| @if test -z "$(PYTHON3)"; then \ | ||
| echo "ERROR: python3 not found in PATH."; exit 1; fi | ||
| $(MAKE) install DESTDIR=$(builddir)/_sbom_stage | ||
| $(PYTHON3) $(GEN_SBOM) $(SBOM_OPTS) | ||
| rm -rf $(builddir)/_sbom_stage |
Adds CycloneDX + SPDX SBOM generation via wolfssl's gen-sbom script. Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl wolfProvider has no generated options.h; uses installed wolfssl's options.h. WOLFSSL_DIR defaults to WOLFSSL_INSTALL_DIR. SONAME is libwolfprov.so.0.0.0 (libtool default, no version-info set).
a93e1f6 to
8db5499
Compare
Replace the inline SBOM recipe with the shared, product-agnostic scripts/sbom.am used across the wolfSSL autotools stack. wolfProvider just declares itself (a libwolfprov shared library that links both wolfSSL and OpenSSL) and includes the fragment, gaining reproducible output, license/version pinning, SPDX validation, dependency recording (wolfssl + openssl), and an install/uninstall hook. Switch configure to AC_PATH_PROG + AC_SUBST, expand the README, and add a SBOM CI workflow. Signed-off-by: Sameeh Jubran <sameeh.j@gmail.com>
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [High] SBOM version lookup breaks clean out-of-tree builds and overrides Automake VERSION —
Makefile.am:60-71 - [Medium] pyspdxtools probe is never enforced by the sbom target —
configure.ac:30, Makefile.am:80-83
Review generated by Skoll.
| # it is (a shared library that links both wolfSSL and OpenSSL) and includes it. | ||
| # WOLFSSL_DIR must point to a wolfssl source tree containing scripts/gen-sbom; | ||
| # it defaults to the --with-wolfssl location, which is an install prefix, so for | ||
| # `make sbom` pass a source tree: make sbom WOLFSSL_DIR=/path/to/wolfssl. |
There was a problem hiding this comment.
🟠 [High] SBOM version lookup breaks clean out-of-tree builds and overrides Automake VERSION
🚫 BLOCK bug
The PR defines VERSION by grepping $(srcdir)/include/wolfprovider/version.h, but this header is generated by configure.ac and is gitignored; a clean source tree only contains include/wolfprovider/version.h.in. In a normal VPATH/out-of-tree build, the generated header lives in the build tree, so this grep returns empty. Because VERSION is also Automake's standard package-version variable, this can produce SBOM paths like wolfprov-.spdx and can also affect other Automake rules that rely on $(VERSION). The PR introduces this by adding a new top-level VERSION = ... assignment for SBOM generation.
Recommendation: Replace the custom VERSION assignment with a separate SBOM variable based on $(PACKAGE_VERSION) or @VERSION@ before merge. For example: SBOM_VERSION =
| AC_LANG(C) | ||
|
|
||
| # Tools used by the SBOM targets (see scripts/sbom.am `make sbom`). GIT is used | ||
| # only to derive SOURCE_DATE_EPOCH for reproducible SBOM output; all three are |
There was a problem hiding this comment.
🟡 [Medium] pyspdxtools probe is never enforced by the sbom target
💡 SUGGEST bug
The PR adds AC_CHECK_PROG([PYSPDXTOOLS], [pyspdxtools], [pyspdxtools]) and the README says pyspdxtools is required, but make sbom only checks $(PYTHON3) before invoking gen-sbom. If pyspdxtools is missing, configure still succeeds and the target proceeds until the generator fails later, likely with a less actionable error. This weakens the dependency check introduced by the PR.
Recommendation: Use the PYSPDXTOOLS configure result in the sbom recipe so the documented dependency is checked before running the generator, e.g. add an @if test -z "$(PYSPDXTOOLS)"; then echo "ERROR: pyspdxtools not found in PATH. Install with: pip install spdx-tools"; exit 1; fi guard.
|
Both Skoll findings are against code that isn't in this PR (verified against the current head):
The recipe was refactored into the shared |
Detailed verification — both Skoll findings are against code that isn't in this PRChecked two ways against the reviewed head Finding 1 — "VERSION grep at
|
aidangarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped
Posted findings
- [High] SBOM option capture omits configured compiler defines —
scripts/sbom.am:129-131 - [Low] SBOM workflow executes mutable external gen-sbom ref —
.github/workflows/sbom.yml:42-47
Review generated by Skoll.
| exit 1; \ | ||
| fi; \ | ||
| echo "SBOM: hashing $$sbom_art"; \ | ||
| $(CC) -dM -E $(DEFAULT_INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ |
There was a problem hiding this comment.
🟠 [High] SBOM option capture omits configured compiler defines
🚫 BLOCK bug
The new sbom recipe claims to record the configured build options, but the preprocessor pass that writes _sbom_defines only uses $(DEFAULT_INCLUDES), $(AM_CPPFLAGS), $(CPPFLAGS), and config.h. In this repo, many actual build-defining options are placed in AM_CFLAGS by configure.ac, including -DWOLFPROV_DEBUG, -DWOLFPROV_DEBUG_SILENT, -DWP_NO_DYNAMIC_PROVIDER, -DWP_SINGLE_THREADED, -DWOLFPROV_REPLACE_DEFAULT, and -DWP_HAVE_SEED_SRC. The build scripts also pass feature defines through CFLAGS, such as -DWOLFPROV_QUICKTEST, -DWOLFPROV_REPLACE_DEFAULT_UNIT_TEST, and -DWOLFPROV_LEAVE_SILENT_MODE. As a result, a build configured with these options can produce an SBOM that omits options that materially changed the compiled artifact. This is introduced by the new SBOM target and directly undermines the CRA evidence it is adding.
Recommendation: Include the same compiler define sources used for the actual build when generating _sbom_defines (add $(AM_CFLAGS) $(CFLAGS)), and add a CI check that runs make sbom after at least one non-default configure option such as --enable-debug or --enable-seed-src and verifies the corresponding macro is present in the generated SBOM options.
There was a problem hiding this comment.
Fixed. The -dM -E defines pass now includes $(AM_CFLAGS) $(CFLAGS) in addition to $(AM_CPPFLAGS) $(CPPFLAGS), so options that configure.ac places in AM_CFLAGS (-DWOLFPROV_DEBUG, -DWP_HAVE_SEED_SRC, -DWP_NO_DYNAMIC_PROVIDER, -DWP_SINGLE_THREADED, -DWOLFPROV_DEBUG_SILENT, -DWOLFPROV_REPLACE_DEFAULT) and options passed through CFLAGS now land in the SBOM. Also added the CI step you suggested: the sbom workflow now reconfigures with --enable-debug, regenerates the SBOM, and fails unless WOLFPROV_DEBUG appears in the generated CycloneDX options. It reuses the wolfSSL/OpenSSL already built in the job and runs after the artefact upload, so the uploaded SBOM stays the default configuration.
dgarske
left a comment
There was a problem hiding this comment.
@sameehj or @MarkAtwood please see feedback #410 (review)
The SBOM define capture only preprocessed with AM_CPPFLAGS/CPPFLAGS, so build-defining options placed in AM_CFLAGS (-DWOLFPROV_DEBUG, -DWP_HAVE_SEED_SRC, etc.) and passed via CFLAGS were omitted from the SBOM options, understating the CRA evidence. Add $(AM_CFLAGS) $(CFLAGS) to the -dM -E pass and add a CI step that configures --enable-debug and asserts WOLFPROV_DEBUG appears in the generated SBOM. Pin the sbom workflow's gen-sbom checkout to an immutable commit SHA (head of wolfSSL/wolfssl#10343) instead of a mutable PR ref.
|
On the second finding (mutable gen-sbom ref in the workflow): pinned. The |
Summary
make sbom,make install-sbom, andmake uninstall-sbomtargets to wolfProvider's autotools build for EU CRA compliance evidence (CycloneDX 1.6 + SPDX 2.3 output)AC_CHECK_PROGchecks forpython3andpyspdxtoolsinconfigure.acUsage
WOLFSSL_DIRmust point to a wolfssl checkout containingscripts/gen-sbom(branchfeat/sbom-embedded, ormasteronce wolfSSL/wolfssl#10343 merges).Notes
wolfprovthroughout (matchesAC_INITandlib_LTLIBRARIES), notwolfprovideroptions.h; uses installed wolfssl'soptions.hvia$(WOLFSSL_INCLUDEDIR)/wolfssl/options.h.WOLFSSL_DIRdefaults to$(WOLFSSL_INSTALL_DIR)(set by--with-wolfssl=at configure time)libwolfprov.so.0.0.0(no-version-infoset) —--libpath uses this literal, not the package version1.1.1--with-wolfssl,WOLFSSL_INSTALL_DIRmay be malformed; passWOLFSSL_DIR=explicitly in that case