Skip to content

feat: add make sbom target#557

Open
MarkAtwood wants to merge 6 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target
Open

feat: add make sbom target#557
MarkAtwood wants to merge 6 commits into
wolfSSL:masterfrom
MarkAtwood:feat/add-sbom-make-target

Conversation

@MarkAtwood

@MarkAtwood MarkAtwood commented Jun 23, 2026

Copy link
Copy Markdown

Summary

Adds make sbom, make install-sbom, and make uninstall-sbom targets to the autotools build.

  • Stages a temporary install to extract the built .so for hashing
  • Dumps preprocessor defines via cc -dM -E for the options snapshot
  • Calls gen-sbom (from wolfssl scripts/gen-sbom) to produce CycloneDX and SPDX outputs
  • Validates SPDX with pyspdxtools

Usage

```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```

Outputs: wolfmqtt-<version>.cdx.json, wolfmqtt-<version>.spdx.json, wolfmqtt-<version>.spdx

Requirements

  • WOLFSSL_DIR must point to a wolfssl source tree containing scripts/gen-sbom (available on the feat/sbom-embedded branch of wolfssl)
  • python3 and pip install spdx-tools on the build host

Test plan

  • ./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...
  • Verify three output files are produced
  • pyspdxtools --infile wolfmqtt-*.spdx.json passes validation

CMake support

The same SBOM workflow is available for cmake builds via a sbom custom target.

cmake -B build -DWOLFSSL_DIR=/path/to/wolfssl/source .
cmake --build build
cmake --build build --target sbom

The cmake target mirrors the autotools one:

  • Version is read from wolfmqtt/version.h (not project(VERSION)) so both build systems emit the same version.
  • Stages a cmake --install to hash the installed libwolfmqtt.so.
  • Dumps preprocessor defines via cc -dM -E on the generated options.h.
  • Validates SPDX with pyspdxtools.
  • WOLFSSL_DIR, python3, and pyspdxtools are checked at configure time (fatal error if missing) so problems surface before building.

Outputs (in the build directory): wolfmqtt-<version>.cdx.json, wolfmqtt-<version>.spdx.json, wolfmqtt-<version>.spdx

Add top-level AGENTS.md with project overview, build quick start,
and contribution rules. Detailed platform build guides in AI/ for
Linux/macOS, Windows, and embedded targets.

Update .gitignore to ignore common AI tool local files.
Adds sbom, install-sbom, and uninstall-sbom targets.
Runs gen-sbom to produce CDX and SPDX outputs.
Requires WOLFSSL_DIR pointing to a wolfssl tree with
the feat/sbom-embedded branch (includes gen-sbom).
@MarkAtwood MarkAtwood requested review from Copilot and sameehj June 23, 2026 01:39

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.

Adds new autotools make sbom workflow to generate and install SBOM artifacts (CycloneDX + SPDX) for CRA compliance, plus updates repo guidance/docs.

Changes:

  • Add SBOM-related make sbom, make install-sbom, make uninstall-sbom targets (staging install, calling gen-sbom, validating SPDX).
  • Extend configure.ac to expose libtool version components and discover SBOM tooling (python3, pyspdxtools, git).
  • Add/update contributor and build documentation under AI/, plus refresh AGENTS.md and ignore common AI tool local files.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
configure.ac Exposes version components + finds SBOM tool executables for substitution into make rules
Makefile.am Implements SBOM generation/validation and install/uninstall targets
AI/contributing.md New contribution guidelines (workflow, CI rules, testing)
AI/build-windows.md New Windows build guide
AI/build-linux.md New Linux/macOS build guide
AI/build-embedded.md New embedded/RTOS build guide
AGENTS.md Replaces prior agent guidance with repo overview + links to new docs
.gitignore Ignores common AI-tool local configuration directories/files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Makefile.am Outdated
--supplier 'wolfSSL Inc.' \
--license-file $(srcdir)/LICENSE \
--options-h $(abs_builddir)/wolfmqtt/options.h \
--lib $(abs_builddir)/_sbom_staging$(libdir)/libwolfmqtt.so.$(WOLFMQTT_LIBRARY_VERSION_FIRST).$(WOLFMQTT_LIBRARY_VERSION_SECOND).$(WOLFMQTT_LIBRARY_VERSION_THIRD) \
Comment thread configure.ac Outdated
Comment on lines +43 to +45
WOLFMQTT_LIBRARY_VERSION_FIRST=19
WOLFMQTT_LIBRARY_VERSION_SECOND=0
WOLFMQTT_LIBRARY_VERSION_THIRD=0
Comment thread Makefile.am Outdated
fi
rm -rf $(abs_builddir)/_sbom_staging
$(MAKE) install DESTDIR=$(abs_builddir)/_sbom_staging
$(PYTHON3) $(WOLFSSL_DIR)/scripts/gen-sbom \
Comment thread Makefile.am Outdated
--license-file $(srcdir)/LICENSE \
--options-h $(abs_builddir)/wolfmqtt/options.h \
--lib $(abs_builddir)/_sbom_staging$(libdir)/libwolfmqtt.so.$(WOLFMQTT_LIBRARY_VERSION_FIRST).$(WOLFMQTT_LIBRARY_VERSION_SECOND).$(WOLFMQTT_LIBRARY_VERSION_THIRD) \
--git '$(GIT)' \
Comment thread Makefile.am Outdated
Comment on lines +108 to +110
$(INSTALL_DATA) $(SBOM_CDX) $(DESTDIR)$(sbomdir)/
$(INSTALL_DATA) $(SBOM_SPDX) $(DESTDIR)$(sbomdir)/
$(INSTALL_DATA) $(SBOM_SPDX_TV) $(DESTDIR)$(sbomdir)/
Comment thread Makefile.am Outdated

.PHONY: sbom install-sbom uninstall-sbom

sbom:
@embhorn embhorn assigned embhorn and unassigned wolfSSL-Bot Jul 7, 2026
@embhorn embhorn self-requested a review July 7, 2026 21:51
@embhorn

embhorn commented Jul 7, 2026

Copy link
Copy Markdown
Member

Hi @MarkAtwood - Please address the Copilot feedback first

Replace the inline SBOM recipe with the shared, product-agnostic
scripts/sbom.am used across the wolfSSL autotools stack. wolfMQTT
declares what it is (a libwolfmqtt library that links wolfSSL for TLS)
and includes the fragment, gaining reproducible output, license/version
pinning, broader artifact discovery, wolfSSL dependency recording, and
an install/uninstall hook. Because wolfMQTT keeps its feature macros in
its own generated wolfmqtt/options.h (no config.h defines), the fragment
gains an optional SBOM_OPTIONS_H so gen-sbom reads that header. Tidy
configure.ac and add a SBOM CI workflow.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

@embhorn embhorn left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skoll Code Review

Scan type: review
Overall recommendation: REQUEST_CHANGES
Findings: 8 total — 8 posted, 0 skipped
8 finding(s) posted as inline comments (see file-level comments below)

Posted findings

  • [High] CMake sbom target uses shell redirection > which does not work in add_custom_target COMMAND (VERBATIM)CMakeLists.txt:516-517
  • [Medium] CMake sbom target uses cmake -E rm which requires CMake 3.17 but project minimum is 3.16CMakeLists.txt:535-536
  • [Medium] CMake sbom target hardcodes libwolfmqtt.so, breaking static / macOS / Windows buildsCMakeLists.txt:525
  • [Medium] New Linux build doc recommends non-existent autotools flags --with-wolfssl / --with-wolfssl-treeAI/build-linux.md:46-49
  • [Medium] AGENTS.md states GPLv2, contradicting the GPLv3-or-later licensing used everywhere else (including this PR)AGENTS.md:5
  • [Medium] New CMake sbom target has no CI coverage.github/workflows/sbom.yml:88-163
  • [Low] CMake and autotools feed different inputs to gen-sbom --options-h, undercutting the 'byte-comparable SBOM' claimCMakeLists.txt:502-517
  • [Low] pull_request branches filter '*' misses slash-containing base branches.github/workflows/sbom.yml:6-7

Review generated by Skoll

Comment thread CMakeLists.txt
# Capture the compile-time options fingerprint. -dM -E emits the full set of
# macros defined after preprocessing options.h; gen-sbom reads this as a flat
# list of #define directives, same as it reads autotools' options.h.
COMMAND ${CMAKE_C_COMPILER} -dM -E

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 [High] CMake sbom target uses shell redirection > which does not work in add_custom_target COMMAND (VERBATIM)

The options-fingerprint step runs ${CMAKE_C_COMPILER} -dM -E ${WOLFMQTT_OUTPUT_BASE}/wolfmqtt/options.h > ${SBOM_DEFINES} inside an add_custom_target(... VERBATIM). add_custom_target/add_custom_command do NOT run their COMMAND through a shell, and with VERBATIM every…

Fix: Replace the > ${SBOM_DEFINES} redirection with -o ${SBOM_DEFINES} (gcc/clang support -o with -E), or wrap the compiler invocation in a cmake -P

Comment thread CMakeLists.txt
--outfile ${CMAKE_BINARY_DIR}/${SBOM_SPDX_TV}

# Remove transient artifacts; keep only the three SBOM files.
COMMAND ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] CMake sbom target uses cmake -E rm which requires CMake 3.17 but project minimum is 3.16

The cleanup steps use ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING} and ${CMAKE_COMMAND} -E rm -f ${SBOM_DEFINES}. The cmake -E rm subcommand was introduced in CMake 3.17, but this file declares cmake_minimum_required(VERSION 3.16) (line 22). On a stock CMake 3.16.x the…

Fix: Either use the 3.16-compatible -E remove_directory / -E remove, or raise the SBOM section's requirement to CMake 3.17+ explicitly.

Comment thread CMakeLists.txt
--supplier "wolfSSL Inc."
--license-file ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE
--options-h ${SBOM_DEFINES}
--lib ${SBOM_STAGING}/usr/local/lib/libwolfmqtt.so

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] CMake sbom target hardcodes libwolfmqtt.so, breaking static / macOS / Windows builds

The gen-sbom invocation passes --lib ${SBOM_STAGING}/usr/local/lib/libwolfmqtt.so with a hardcoded .so name. If the build is configured with -DBUILD_SHARED_LIBS=OFF (option is exposed at line 38), the installed artifact is libwolfmqtt.a and this path does not exist, so…

Fix: Resolve the artifact name from the actual target/platform instead of hardcoding .so, matching the multi-extension behavior of the autotools recipe.

Comment thread AI/build-linux.md

```bash
# Installed wolfSSL
./configure --with-wolfssl=/path/to/wolfssl/install

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] New Linux build doc recommends non-existent autotools flags --with-wolfssl / --with-wolfssl-tree

The 'TLS configuration' section tells users to run ./configure --with-wolfssl=/path/to/wolfssl/install and ./configure --with-wolfssl-tree=/path/to/wolfssl. wolfMQTT's configure.ac only defines --with-libwolfssl-prefix (configure.ac:84-85); there is no --with-wolfssl or…

Fix: Correct the autotools example to --with-libwolfssl-prefix=PATH (there is no source-tree autotools flag), keeping -DWITH_WOLFSSL / -DWITH_WOLFSSL_TREE

Comment thread AGENTS.md
## About wolfMQTT

## Overview
wolfMQTT is a lightweight MQTT client library for embedded systems, written in portable ANSI C. It supports MQTT v3.1.1, v5.0, and MQTT-SN for sensor networks over constrained transports. It includes a lightweight embedded broker. Optional TLS is provided via wolfSSL. wolfMQTT is dual-licensed under GPLv2 and a commercial license.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] AGENTS.md states GPLv2, contradicting the GPLv3-or-later licensing used everywhere else (including this PR)

The rewritten AGENTS.md 'About' section says 'wolfMQTT is dual-licensed under GPLv2 and a commercial license.' The actual license is GPLv3-or-later: wolfmqtt/version.h and every source header say 'either version 3 of the License, or (at your option) any later version', and this…

Fix: Change 'GPLv2' to 'GPLv3 (or later)' to match version.h, the source headers, and the SBOM license override.

echo "::notice::gen-sbom on this ref has no --dep-wolfssl; the wolfssl dependency + name-derived identity assertions will be skipped."
fi

- name: Configure and build wolfmqtt

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 [Medium] New CMake sbom target has no CI coverage

The new sbom.yml workflow exercises only the autotools make sbom path. The equally new CMake sbom custom target (CMakeLists.txt:507-543) is never configured or built in CI. Had it been, the redirection bug and the cmake -E rm 3.17 issue above would have been caught before…

Fix: Add a CMake SBOM job to the workflow so the CMake target is actually built and validated.

Comment thread CMakeLists.txt
# Staging dir for `cmake --install` so gen-sbom hashes the as-installed
# libwolfmqtt.so without polluting the system or requiring root.
set(SBOM_STAGING "${CMAKE_BINARY_DIR}/_sbom_staging")
# Pre-processed macro dump fed to gen-sbom via --options-h. `cc -dM -E` on the

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] CMake and autotools feed different inputs to gen-sbom --options-h, undercutting the 'byte-comparable SBOM' claim

The CMake target passes --options-h ${SBOM_DEFINES}, where SBOM_DEFINES is the output of cc -dM -E options.h — i.e. the full macro set including all compiler-builtin defines (__GNUC__, __SIZEOF_*, etc.) plus the options.h contents. The autotools build for wolfMQTT…

Fix: Confirm what gen-sbom does with --options-h; if it does not filter, feed the same raw options.h both build systems use, or soften the 'byte-comparable' claim…

on:
push:
branches: [ 'master', 'main', 'release/**' ]
pull_request:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 [Low] pull_request branches filter '*' misses slash-containing base branches

The push trigger targets [ 'master', 'main', 'release/**' ], but the pull_request trigger uses branches: [ '*' ]. The single-asterisk glob matches only base branch names without a /, so PRs targeting a release/** base branch would not trigger this workflow, inconsistent…

Fix: Use '**' to also match slash-containing base branches, matching the push trigger's intent.

@embhorn embhorn left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @MarkAtwood

Very cool! I was able to generate the SBOM files.

Please review the skoll comments and then it should be ready.

## Document Information
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: wolfmqtt-2.0.0
DocumentNamespace: urn:uuid:d3437452-0edc-5202-a2e4-3089e486b663

## Creation Information
Creator: Organization: wolfSSL Inc.
Creator: Tool: wolfssl-sbom-gen-1.2
Created: 2026-07-10T10:15:17Z

## Package Information
PackageName: wolfmqtt
SPDXID: SPDXRef-Package-wolfmqtt
PackageVersion: 2.0.0
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfmqtt
FilesAnalyzed: false
PackageChecksum: SHA256: d6a8b093aba36f2e1abb6c2ed429df9ed113e4dea493ac21764ccfb99ad9d4ef
PackageLicenseConcluded: GPL-3.0-or-later
PackageLicenseDeclared: GPL-3.0-or-later
PackageCopyrightText: Copyright (C) 2006-2026 wolfSSL Inc.
PackageComment: Build configuration defines: ENABLE_MQTT_TLS, SIZEOF_LONG, WOLFMQTT_BROKER, WOLFMQTT_DISCONNECT_CB, WOLFMQTT_MAX_QOS, WOLFMQTT_PROPERTY_CB, WOLFMQTT_V5
ExternalRef: SECURITY cpe23Type cpe:2.3:a:wolfssl:wolfmqtt:2.0.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfmqtt@v2.0.0
ExternalRef: SECURITY advisory https://github.com/wolfSSL/wolfmqtt/security/advisories

## Package Information
PackageName: wolfssl
SPDXID: SPDXRef-Package-wolfssl
PackageVersion: 5.9.2
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfssl
FilesAnalyzed: false
PackageLicenseConcluded: GPL-3.0-only
PackageLicenseDeclared: GPL-3.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfssl@v5.9.2

## Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-wolfmqtt
Relationship: SPDXRef-Package-wolfmqtt DEPENDS_ON SPDXRef-Package-wolfssl

## Annotations
Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-kind=library-binary

Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-source=lib

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants