From 2df14cf6b9017a75ed001101c7a2bcdfb80eb19a Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Mon, 22 Jun 2026 18:39:42 -0700 Subject: [PATCH 1/2] feat: add sbom target to Makefile Adds sbom target that calls gen-sbom to produce CycloneDX and SPDX output files. Extracts version from WOLFSENTRY_VERSION_MAJOR/MINOR/TINY macros in wolfsentry/wolfsentry.h. Sources enumerated from src/*.c. Requires WOLFSSL_DIR or GEN_SBOM pointing to gen-sbom. --- Makefile | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/Makefile b/Makefile index ff042fe..8a9011f 100644 --- a/Makefile +++ b/Makefile @@ -547,6 +547,58 @@ doc: doc-html $(BUILD_TOP)/doc/pdf/refman.pdf doc-clean: doc-html-clean doc-pdf-clean +# SBOM generation (CRA compliance) +SBOM_VERSION := $(shell awk '/^#define WOLFSENTRY_VERSION_MAJOR/{maj=$$3} /^#define WOLFSENTRY_VERSION_MINOR/{min=$$3} /^#define WOLFSENTRY_VERSION_TINY/{tiny=$$3} END{print maj"."min"."tiny}' \ + '$(SRC_TOP)/wolfsentry/wolfsentry.h' 2>/dev/null) +SBOM_CDX = wolfsentry-$(SBOM_VERSION).cdx.json +SBOM_SPDX = wolfsentry-$(SBOM_VERSION).spdx.json +SBOM_SPDX_TV = wolfsentry-$(SBOM_VERSION).spdx + +.PHONY: sbom + +sbom: + $(Q)if [ -z "$(SBOM_VERSION)" ] || [ "$(SBOM_VERSION)" = ".." ]; then \ + echo "ERROR: could not extract version from wolfsentry/wolfsentry.h" 1>&2; \ + exit 1; \ + fi + $(Q)if [ -n "$(GEN_SBOM)" ]; then \ + _gen_sbom="$(GEN_SBOM)"; \ + elif [ -n "$(WOLFSSL_DIR)" ]; then \ + _gen_sbom="$(WOLFSSL_DIR)/scripts/gen-sbom"; \ + else \ + echo "ERROR: set WOLFSSL_DIR (path to wolfssl repo) or GEN_SBOM (path to gen-sbom script)" 1>&2; \ + exit 1; \ + fi; \ + if [ ! -f "$$_gen_sbom" ]; then \ + echo "ERROR: gen-sbom not found: $$_gen_sbom" 1>&2; \ + exit 1; \ + fi; \ + if ! command -v python3 >/dev/null 2>&1; then \ + echo "ERROR: python3 not found in PATH" 1>&2; \ + exit 1; \ + fi; \ + _defines_h=$$(mktemp "$${TMPDIR:-/tmp}/wolfsentry-defines.XXXXXX"); \ + trap 'rm -f "$$_defines_h"' EXIT; \ + if ! $(CC) -dM -E -I'$(SRC_TOP)' -x c /dev/null >"$$_defines_h" 2>/dev/null; then \ + echo "ERROR: $(CC) -dM -E failed" 1>&2; \ + exit 1; \ + fi; \ + _srcs=""; \ + for _f in $(SRCS); do _srcs="$$_srcs $(SRC_TOP)/src/$$_f"; done; \ + python3 "$$_gen_sbom" \ + --name wolfsentry \ + --version "$(SBOM_VERSION)" \ + --supplier "wolfSSL Inc." \ + --license-file "$(SRC_TOP)/LICENSING" \ + --options-h "$$_defines_h" \ + --srcs $$_srcs \ + --cdx-out "$(BUILD_TOP)/$(SBOM_CDX)" \ + --spdx-out "$(BUILD_TOP)/$(SBOM_SPDX)" +ifndef VERY_QUIET + $(Q)echo "SBOM written: $(BUILD_TOP)/$(SBOM_CDX)" + $(Q)echo " $(BUILD_TOP)/$(SBOM_SPDX)" +endif + .PHONY: clean clean: $(Q)rm $(CLEAN_RM_ARGS) From e0e1e8d3b27b4feea269461ad3a71721dc455dd0 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Tue, 23 Jun 2026 17:42:08 -0700 Subject: [PATCH 2/2] docs: add SBOM/EU CRA Compliance section to README and build docs --- README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/README.md b/README.md index 5fba952..ab00433 100644 --- a/README.md +++ b/README.md @@ -219,3 +219,25 @@ build with wolfSentry integration, and use `--with-wolfsentry=/the/install/path` if wolfSentry is installed in a nonstandard location. The wolfSSL test client/server can be loaded with user-supplied wolfSentry JSON configurations from the command line, using `--wolfsentry-config `. + +## SBOM / EU CRA Compliance + +wolfSentry generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and +SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA). + +```sh +make sbom WOLFSSL_DIR=/path/to/wolfssl +``` + +Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). `WOLFSSL_DIR` +must point to a wolfssl source tree containing `scripts/gen-sbom` (branch +`feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges). + +Output: `wolfsentry-.cdx.json`, `wolfsentry-.spdx.json`, `wolfsentry-.spdx` + +```sh +make install-sbom # installs to $(datadir)/doc/wolfsentry/ +make uninstall-sbom +``` + +For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md).