feat: add make sbom target#557
Open
MarkAtwood wants to merge 3 commits into
Open
Conversation
Add top-level AGENTS.md with project overview, build quick start, and contribution rules. Detailed platform build guides in AI/ for Linux/macOS, Windows, and embedded targets. Update .gitignore to ignore common AI tool local files.
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Note
Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.
Adds new autotools make sbom workflow to generate and install SBOM artifacts (CycloneDX + SPDX) for CRA compliance, plus updates repo guidance/docs.
Changes:
- Add SBOM-related
make sbom,make install-sbom,make uninstall-sbomtargets (staging install, callinggen-sbom, validating SPDX). - Extend
configure.acto expose libtool version components and discover SBOM tooling (python3,pyspdxtools,git). - Add/update contributor and build documentation under
AI/, plus refreshAGENTS.mdand ignore common AI tool local files.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| configure.ac | Exposes version components + finds SBOM tool executables for substitution into make rules |
| Makefile.am | Implements SBOM generation/validation and install/uninstall targets |
| AI/contributing.md | New contribution guidelines (workflow, CI rules, testing) |
| AI/build-windows.md | New Windows build guide |
| AI/build-linux.md | New Linux/macOS build guide |
| AI/build-embedded.md | New embedded/RTOS build guide |
| AGENTS.md | Replaces prior agent guidance with repo overview + links to new docs |
| .gitignore | Ignores common AI-tool local configuration directories/files |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| --supplier 'wolfSSL Inc.' \ | ||
| --license-file $(srcdir)/LICENSE \ | ||
| --options-h $(abs_builddir)/wolfmqtt/options.h \ | ||
| --lib $(abs_builddir)/_sbom_staging$(libdir)/libwolfmqtt.so.$(WOLFMQTT_LIBRARY_VERSION_FIRST).$(WOLFMQTT_LIBRARY_VERSION_SECOND).$(WOLFMQTT_LIBRARY_VERSION_THIRD) \ |
Comment on lines
+43
to
+45
| WOLFMQTT_LIBRARY_VERSION_FIRST=19 | ||
| WOLFMQTT_LIBRARY_VERSION_SECOND=0 | ||
| WOLFMQTT_LIBRARY_VERSION_THIRD=0 |
| fi | ||
| rm -rf $(abs_builddir)/_sbom_staging | ||
| $(MAKE) install DESTDIR=$(abs_builddir)/_sbom_staging | ||
| $(PYTHON3) $(WOLFSSL_DIR)/scripts/gen-sbom \ |
| --license-file $(srcdir)/LICENSE \ | ||
| --options-h $(abs_builddir)/wolfmqtt/options.h \ | ||
| --lib $(abs_builddir)/_sbom_staging$(libdir)/libwolfmqtt.so.$(WOLFMQTT_LIBRARY_VERSION_FIRST).$(WOLFMQTT_LIBRARY_VERSION_SECOND).$(WOLFMQTT_LIBRARY_VERSION_THIRD) \ | ||
| --git '$(GIT)' \ |
Comment on lines
+108
to
+110
| $(INSTALL_DATA) $(SBOM_CDX) $(DESTDIR)$(sbomdir)/ | ||
| $(INSTALL_DATA) $(SBOM_SPDX) $(DESTDIR)$(sbomdir)/ | ||
| $(INSTALL_DATA) $(SBOM_SPDX_TV) $(DESTDIR)$(sbomdir)/ |
|
|
||
| .PHONY: sbom install-sbom uninstall-sbom | ||
|
|
||
| sbom: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingcc -dM -Efor the options snapshotgen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```
Outputs:
wolfmqtt-<version>.cdx.json,wolfmqtt-<version>.spdx.json,wolfmqtt-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolfmqtt-*.spdx.jsonpasses validationCMake support
The same SBOM workflow is available for cmake builds via a
sbomcustom target.cmake -B build -DWOLFSSL_DIR=/path/to/wolfssl/source . cmake --build build cmake --build build --target sbomThe cmake target mirrors the autotools one:
wolfmqtt/version.h(notproject(VERSION)) so both build systems emit the same version.cmake --installto hash the installedlibwolfmqtt.so.cc -dM -Eon the generatedoptions.h.pyspdxtools.WOLFSSL_DIR,python3, andpyspdxtoolsare checked at configure time (fatal error if missing) so problems surface before building.Outputs (in the build directory):
wolfmqtt-<version>.cdx.json,wolfmqtt-<version>.spdx.json,wolfmqtt-<version>.spdx