Skip to content

feat: add make sbom / install-sbom / uninstall-sbom targets#410

Open
MarkAtwood wants to merge 4 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-make-sbom
Open

feat: add make sbom / install-sbom / uninstall-sbom targets#410
MarkAtwood wants to merge 4 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-make-sbom

Conversation

@MarkAtwood

Copy link
Copy Markdown

Summary

  • Adds make sbom, make install-sbom, and make uninstall-sbom targets to wolfProvider's autotools build for EU CRA compliance evidence (CycloneDX 1.6 + SPDX 2.3 output)
  • Adds AC_CHECK_PROG checks for python3 and pyspdxtools in configure.ac

Usage

make sbom WOLFSSL_DIR=/path/to/wolfssl
# produces: wolfprov-1.1.1.cdx.json  wolfprov-1.1.1.spdx.json  wolfprov-1.1.1.spdx
pyspdxtools --infile wolfprov-1.1.1.spdx.json   # must pass

make install-sbom   # installs to $(datadir)/doc/wolfprov/
make uninstall-sbom

WOLFSSL_DIR must point to a wolfssl checkout containing scripts/gen-sbom (branch feat/sbom-embedded, or master once wolfSSL/wolfssl#10343 merges).

Notes

  • Product name is wolfprov throughout (matches AC_INIT and lib_LTLIBRARIES), not wolfprovider
  • No generated options.h; uses installed wolfssl's options.h via $(WOLFSSL_INCLUDEDIR)/wolfssl/options.h. WOLFSSL_DIR defaults to $(WOLFSSL_INSTALL_DIR) (set by --with-wolfssl= at configure time)
  • wolfProvider's libtool default SONAME is libwolfprov.so.0.0.0 (no -version-info set) — --lib path uses this literal, not the package version 1.1.1
  • Known limitation: if wolfssl was found via pkg-config rather than --with-wolfssl, WOLFSSL_INSTALL_DIR may be malformed; pass WOLFSSL_DIR= explicitly in that case

Copilot AI review requested due to automatic review settings June 23, 2026 22:35
@MarkAtwood MarkAtwood requested a review from sameehj June 23, 2026 22:36

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds SBOM generation and install/uninstall targets to the autotools build so wolfProvider can emit CycloneDX 1.6 and SPDX 2.3 artifacts (via wolfSSL’s gen-sbom script), plus configure-time discovery of required tooling.

Changes:

  • Add make sbom, make install-sbom, and make uninstall-sbom targets that stage-install the built artifacts and generate CycloneDX/SPDX outputs.
  • Add AC_CHECK_PROG checks for python3 and pyspdxtools in configure.ac.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
Makefile.am Adds SBOM generation and install/uninstall targets and related variables.
configure.ac Adds checks for python3 and pyspdxtools availability.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile.am Outdated
# ---------------------------------------------------------------------------
# SBOM generation (CycloneDX + SPDX) via wolfssl's gen-sbom script
# ---------------------------------------------------------------------------
WOLFSSL_DIR ?= $(WOLFSSL_INSTALL_DIR)
Comment thread Makefile.am Outdated
WOLFSSL_DIR ?= $(WOLFSSL_INSTALL_DIR)
WOLFSSL_INCLUDEDIR ?= $(WOLFSSL_DIR)/include
PRODUCT = wolfprov
VERSION = $(shell grep LIBWOLFPROV_VERSION_STRING $(srcdir)/include/wolfprovider/version.h 2>/dev/null | sed 's/.*"\(.*\)".*/\1/')
Comment thread Makefile.am Outdated
Comment on lines +76 to +80
@if test -z "$(PYTHON3)"; then \
echo "ERROR: python3 not found in PATH."; exit 1; fi
$(MAKE) install DESTDIR=$(builddir)/_sbom_stage
$(PYTHON3) $(GEN_SBOM) $(SBOM_OPTS)
rm -rf $(builddir)/_sbom_stage
Adds CycloneDX + SPDX SBOM generation via wolfssl's gen-sbom script.
Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl

wolfProvider has no generated options.h; uses installed wolfssl's
options.h. WOLFSSL_DIR defaults to WOLFSSL_INSTALL_DIR. SONAME is
libwolfprov.so.0.0.0 (libtool default, no version-info set).
@MarkAtwood MarkAtwood force-pushed the feat/add-make-sbom branch from a93e1f6 to 8db5499 Compare June 29, 2026 19:18
@MarkAtwood MarkAtwood assigned wolfSSL-Bot and unassigned MarkAtwood Jul 6, 2026
Replace the inline SBOM recipe with the shared, product-agnostic
scripts/sbom.am used across the wolfSSL autotools stack. wolfProvider
just declares itself (a libwolfprov shared library that links both
wolfSSL and OpenSSL) and includes the fragment, gaining reproducible
output, license/version pinning, SPDX validation, dependency recording
(wolfssl + openssl), and an install/uninstall hook. Switch configure to
AC_PATH_PROG + AC_SUBST, expand the README, and add a SBOM CI workflow.

Signed-off-by: Sameeh Jubran <sameeh.j@gmail.com>

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped

Posted findings

  • [High] SBOM version lookup breaks clean out-of-tree builds and overrides Automake VERSIONMakefile.am:60-71
  • [Medium] pyspdxtools probe is never enforced by the sbom targetconfigure.ac:30, Makefile.am:80-83

Review generated by Skoll.

Comment thread Makefile.am
# it is (a shared library that links both wolfSSL and OpenSSL) and includes it.
# WOLFSSL_DIR must point to a wolfssl source tree containing scripts/gen-sbom;
# it defaults to the --with-wolfssl location, which is an install prefix, so for
# `make sbom` pass a source tree: make sbom WOLFSSL_DIR=/path/to/wolfssl.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [High] SBOM version lookup breaks clean out-of-tree builds and overrides Automake VERSION
🚫 BLOCK bug

The PR defines VERSION by grepping $(srcdir)/include/wolfprovider/version.h, but this header is generated by configure.ac and is gitignored; a clean source tree only contains include/wolfprovider/version.h.in. In a normal VPATH/out-of-tree build, the generated header lives in the build tree, so this grep returns empty. Because VERSION is also Automake's standard package-version variable, this can produce SBOM paths like wolfprov-.spdx and can also affect other Automake rules that rely on $(VERSION). The PR introduces this by adding a new top-level VERSION = ... assignment for SBOM generation.

Recommendation: Replace the custom VERSION assignment with a separate SBOM variable based on $(PACKAGE_VERSION) or @VERSION@ before merge. For example: SBOM_VERSION = $(PACKAGE_VERSION) and reference $(SBOM_VERSION) in the SBOM paths and options.

Comment thread configure.ac
AC_LANG(C)

# Tools used by the SBOM targets (see scripts/sbom.am `make sbom`). GIT is used
# only to derive SOURCE_DATE_EPOCH for reproducible SBOM output; all three are

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 [Medium] pyspdxtools probe is never enforced by the sbom target
💡 SUGGEST bug

The PR adds AC_CHECK_PROG([PYSPDXTOOLS], [pyspdxtools], [pyspdxtools]) and the README says pyspdxtools is required, but make sbom only checks $(PYTHON3) before invoking gen-sbom. If pyspdxtools is missing, configure still succeeds and the target proceeds until the generator fails later, likely with a less actionable error. This weakens the dependency check introduced by the PR.

Recommendation: Use the PYSPDXTOOLS configure result in the sbom recipe so the documented dependency is checked before running the generator, e.g. add an @if test -z "$(PYSPDXTOOLS)"; then echo "ERROR: pyspdxtools not found in PATH. Install with: pip install spdx-tools"; exit 1; fi guard.

@aidangarske aidangarske assigned MarkAtwood and unassigned wolfSSL-Bot Jul 9, 2026
@MarkAtwood

Copy link
Copy Markdown
Author

Both Skoll findings are against code that isn't in this PR (verified against the current head):

  • "VERSION grep at Makefile.am:60" — line 60 is a comment. There is no VERSION = assignment and no include/wolfprovider/version.h grep anywhere in the diff. SBOM filenames use $(PACKAGE_VERSION) (see scripts/sbom.am), so the "empty version / overrides Automake VERSION" symptom can't occur. The only version.h reads in the PR are the gated wolfSSL dependency version, a separate variable.

  • "pyspdxtools probe never enforced" — the recipe enforces it before gen-sbom runs: scripts/sbom.am:95 has @test -n "$(PYSPDXTOOLS)" || { echo "ERROR: 'pyspdxtools' not found ..."; exit 1; }.

The recipe was refactored into the shared scripts/sbom.am (byte-identical to the wolfssh copy); the flagged lines predate that refactor. CI is green. Requesting a re-review / dismissal of the stale change-request.

@MarkAtwood

Copy link
Copy Markdown
Author

Detailed verification — both Skoll findings are against code that isn't in this PR

Checked two ways against the reviewed head 611ccd038f14663e74e8225eb8fe821ff8290293: statically on a fresh clone, and empirically via this PR's own make sbom CI. Neither finding reproduces.

Finding 1 — "VERSION grep at Makefile.am:60 overrides Automake VERSION"

  • No VERSION = … assignment exists in any Makefile.am, *.am, or configure.ac. grep -rnE '^[[:space:]]*VERSION[[:space:]]*[:]?=' over a clean clone of the head returns nothing.

  • The only references to include/wolfprovider/version.h are benign: configure.ac:211 (an AC_CONFIG_FILES output generated from version.h.in) and include/include.am:7 (header install). Neither greps a version for the SBOM.

  • SBOM output names use $(PACKAGE_VERSION), not $(VERSION):

    • scripts/sbom.am:52-54SBOM_CDX = $(SBOM_PKGNAME)-$(PACKAGE_VERSION).cdx.json (and .spdx.json, .spdx)
    • scripts/sbom.am:172gen-sbom is passed --version $(PACKAGE_VERSION)

    PACKAGE_VERSION is set by AC_INIT, so it cannot be empty — the wolfprov-.spdx symptom described in the finding cannot occur.

  • Makefile.am:60 is a comment line (# … make sbom WOLFSSL_DIR=/path/to/wolfssl.), not a VERSION assignment.

Finding 2 — "pyspdxtools probe never enforced by the sbom target"

  • It is enforced before the generator runs: scripts/sbom.am:95@test -n "$(PYSPDXTOOLS)" || { echo "ERROR: 'pyspdxtools' not found (pip install spdx-tools)."; exit 1; }
  • And it is used: scripts/sbom.am:182$(PYSPDXTOOLS) --infile $(SBOM_SPDX) --outfile $(SBOM_SPDX_TV) (SPDX → tag-value).

Empirical — make sbom builds and passes on this exact SHA

The SBOM Test workflow (run https://github.com/wolfSSL/wolfProvider/actions/runs/29008558830) built the full openssl + wolfssl + wolfprovider stack from source and ran make sbom on 611ccd038. Every step passed, including:

  • Generate SBOMmake sbom ran end-to-end
  • Outputs exist and SPDX validatespyspdxtools --infile validated the generated SPDX
  • CycloneDX identity and licence — asserts a versioned purl (pkg:github/wolfSSL/wolfprovider@…) and GPL-3.0-or-later
  • Reproducible across two runs, wolfssl / openssl recorded as dependencies

If the version were empty or pyspdxtools weren't wired, those steps would fail — they pass.

Both findings are incorrect against the current head. CI is green; requesting the change-request be dismissed so this can proceed.

@aidangarske aidangarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐺 Skoll Code Review

Overall recommendation: REQUEST_CHANGES
Findings: 2 total — 2 posted, 0 skipped

Posted findings

  • [High] SBOM option capture omits configured compiler definesscripts/sbom.am:129-131
  • [Low] SBOM workflow executes mutable external gen-sbom ref.github/workflows/sbom.yml:42-47

Review generated by Skoll.

Comment thread scripts/sbom.am
exit 1; \
fi; \
echo "SBOM: hashing $$sbom_art"; \
$(CC) -dM -E $(DEFAULT_INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [High] SBOM option capture omits configured compiler defines
🚫 BLOCK bug

The new sbom recipe claims to record the configured build options, but the preprocessor pass that writes _sbom_defines only uses $(DEFAULT_INCLUDES), $(AM_CPPFLAGS), $(CPPFLAGS), and config.h. In this repo, many actual build-defining options are placed in AM_CFLAGS by configure.ac, including -DWOLFPROV_DEBUG, -DWOLFPROV_DEBUG_SILENT, -DWP_NO_DYNAMIC_PROVIDER, -DWP_SINGLE_THREADED, -DWOLFPROV_REPLACE_DEFAULT, and -DWP_HAVE_SEED_SRC. The build scripts also pass feature defines through CFLAGS, such as -DWOLFPROV_QUICKTEST, -DWOLFPROV_REPLACE_DEFAULT_UNIT_TEST, and -DWOLFPROV_LEAVE_SILENT_MODE. As a result, a build configured with these options can produce an SBOM that omits options that materially changed the compiled artifact. This is introduced by the new SBOM target and directly undermines the CRA evidence it is adding.

Recommendation: Include the same compiler define sources used for the actual build when generating _sbom_defines (add $(AM_CFLAGS) $(CFLAGS)), and add a CI check that runs make sbom after at least one non-default configure option such as --enable-debug or --enable-seed-src and verifies the corresponding macro is present in the generated SBOM options.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. The -dM -E defines pass now includes $(AM_CFLAGS) $(CFLAGS) in addition to $(AM_CPPFLAGS) $(CPPFLAGS), so options that configure.ac places in AM_CFLAGS (-DWOLFPROV_DEBUG, -DWP_HAVE_SEED_SRC, -DWP_NO_DYNAMIC_PROVIDER, -DWP_SINGLE_THREADED, -DWOLFPROV_DEBUG_SILENT, -DWOLFPROV_REPLACE_DEFAULT) and options passed through CFLAGS now land in the SBOM. Also added the CI step you suggested: the sbom workflow now reconfigures with --enable-debug, regenerates the SBOM, and fails unless WOLFPROV_DEBUG appears in the generated CycloneDX options. It reuses the wolfSSL/OpenSSL already built in the job and runs after the artefact upload, so the uploaded SBOM stays the default configuration.

@dgarske dgarske left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sameehj or @MarkAtwood please see feedback #410 (review)

The SBOM define capture only preprocessed with AM_CPPFLAGS/CPPFLAGS, so
build-defining options placed in AM_CFLAGS (-DWOLFPROV_DEBUG,
-DWP_HAVE_SEED_SRC, etc.) and passed via CFLAGS were omitted from the
SBOM options, understating the CRA evidence. Add $(AM_CFLAGS) $(CFLAGS)
to the -dM -E pass and add a CI step that configures --enable-debug and
asserts WOLFPROV_DEBUG appears in the generated SBOM.

Pin the sbom workflow's gen-sbom checkout to an immutable commit SHA
(head of wolfSSL/wolfssl#10343) instead of a mutable PR ref.
@MarkAtwood

Copy link
Copy Markdown
Author

On the second finding (mutable gen-sbom ref in the workflow): pinned. The Checkout wolfssl (gen-sbom source) step and the workflow_dispatch default now fetch the immutable commit SHA 0a32b47b962aa626820f3cc2af5ee32ab348924a (current head of wolfSSL/wolfssl#10343) instead of refs/pull/10343/head, so a force-push can't silently change the gen-sbom CI runs. A TODO notes this moves to the wolfssl release/master copy once #10343 merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants