feat: add make sbom target#557
Conversation
Add top-level AGENTS.md with project overview, build quick start, and contribution rules. Detailed platform build guides in AI/ for Linux/macOS, Windows, and embedded targets. Update .gitignore to ignore common AI tool local files.
Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom).
There was a problem hiding this comment.
Pull request overview
Note
Copilot couldn't run its full agentic review because no GitHub Actions runner was available. Make sure your repository has a runner available to run Copilot's review, or add a copilot-setup-steps.yml file specifying one with the runs-on attribute. See the docs for more details.
Adds new autotools make sbom workflow to generate and install SBOM artifacts (CycloneDX + SPDX) for CRA compliance, plus updates repo guidance/docs.
Changes:
- Add SBOM-related
make sbom,make install-sbom,make uninstall-sbomtargets (staging install, callinggen-sbom, validating SPDX). - Extend
configure.acto expose libtool version components and discover SBOM tooling (python3,pyspdxtools,git). - Add/update contributor and build documentation under
AI/, plus refreshAGENTS.mdand ignore common AI tool local files.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| configure.ac | Exposes version components + finds SBOM tool executables for substitution into make rules |
| Makefile.am | Implements SBOM generation/validation and install/uninstall targets |
| AI/contributing.md | New contribution guidelines (workflow, CI rules, testing) |
| AI/build-windows.md | New Windows build guide |
| AI/build-linux.md | New Linux/macOS build guide |
| AI/build-embedded.md | New embedded/RTOS build guide |
| AGENTS.md | Replaces prior agent guidance with repo overview + links to new docs |
| .gitignore | Ignores common AI-tool local configuration directories/files |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| --supplier 'wolfSSL Inc.' \ | ||
| --license-file $(srcdir)/LICENSE \ | ||
| --options-h $(abs_builddir)/wolfmqtt/options.h \ | ||
| --lib $(abs_builddir)/_sbom_staging$(libdir)/libwolfmqtt.so.$(WOLFMQTT_LIBRARY_VERSION_FIRST).$(WOLFMQTT_LIBRARY_VERSION_SECOND).$(WOLFMQTT_LIBRARY_VERSION_THIRD) \ |
| WOLFMQTT_LIBRARY_VERSION_FIRST=19 | ||
| WOLFMQTT_LIBRARY_VERSION_SECOND=0 | ||
| WOLFMQTT_LIBRARY_VERSION_THIRD=0 |
| fi | ||
| rm -rf $(abs_builddir)/_sbom_staging | ||
| $(MAKE) install DESTDIR=$(abs_builddir)/_sbom_staging | ||
| $(PYTHON3) $(WOLFSSL_DIR)/scripts/gen-sbom \ |
| --license-file $(srcdir)/LICENSE \ | ||
| --options-h $(abs_builddir)/wolfmqtt/options.h \ | ||
| --lib $(abs_builddir)/_sbom_staging$(libdir)/libwolfmqtt.so.$(WOLFMQTT_LIBRARY_VERSION_FIRST).$(WOLFMQTT_LIBRARY_VERSION_SECOND).$(WOLFMQTT_LIBRARY_VERSION_THIRD) \ | ||
| --git '$(GIT)' \ |
| $(INSTALL_DATA) $(SBOM_CDX) $(DESTDIR)$(sbomdir)/ | ||
| $(INSTALL_DATA) $(SBOM_SPDX) $(DESTDIR)$(sbomdir)/ | ||
| $(INSTALL_DATA) $(SBOM_SPDX_TV) $(DESTDIR)$(sbomdir)/ |
|
|
||
| .PHONY: sbom install-sbom uninstall-sbom | ||
|
|
||
| sbom: |
|
Hi @MarkAtwood - Please address the Copilot feedback first |
Replace the inline SBOM recipe with the shared, product-agnostic scripts/sbom.am used across the wolfSSL autotools stack. wolfMQTT declares what it is (a libwolfmqtt library that links wolfSSL for TLS) and includes the fragment, gaining reproducible output, license/version pinning, broader artifact discovery, wolfSSL dependency recording, and an install/uninstall hook. Because wolfMQTT keeps its feature macros in its own generated wolfmqtt/options.h (no config.h defines), the fragment gains an optional SBOM_OPTIONS_H so gen-sbom reads that header. Tidy configure.ac and add a SBOM CI workflow. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
embhorn
left a comment
There was a problem hiding this comment.
Skoll Code Review
Scan type: review
Overall recommendation: REQUEST_CHANGES
Findings: 8 total — 8 posted, 0 skipped
8 finding(s) posted as inline comments (see file-level comments below)
Posted findings
- [High] CMake sbom target uses shell redirection
>which does not work in add_custom_target COMMAND (VERBATIM) —CMakeLists.txt:516-517 - [Medium] CMake sbom target uses
cmake -E rmwhich requires CMake 3.17 but project minimum is 3.16 —CMakeLists.txt:535-536 - [Medium] CMake sbom target hardcodes libwolfmqtt.so, breaking static / macOS / Windows builds —
CMakeLists.txt:525 - [Medium] New Linux build doc recommends non-existent autotools flags --with-wolfssl / --with-wolfssl-tree —
AI/build-linux.md:46-49 - [Medium] AGENTS.md states GPLv2, contradicting the GPLv3-or-later licensing used everywhere else (including this PR) —
AGENTS.md:5 - [Medium] New CMake sbom target has no CI coverage —
.github/workflows/sbom.yml:88-163 - [Low] CMake and autotools feed different inputs to gen-sbom --options-h, undercutting the 'byte-comparable SBOM' claim —
CMakeLists.txt:502-517 - [Low] pull_request branches filter
'*'misses slash-containing base branches —.github/workflows/sbom.yml:6-7
Review generated by Skoll
| # Capture the compile-time options fingerprint. -dM -E emits the full set of | ||
| # macros defined after preprocessing options.h; gen-sbom reads this as a flat | ||
| # list of #define directives, same as it reads autotools' options.h. | ||
| COMMAND ${CMAKE_C_COMPILER} -dM -E |
There was a problem hiding this comment.
🔴 [High] CMake sbom target uses shell redirection > which does not work in add_custom_target COMMAND (VERBATIM)
The options-fingerprint step runs ${CMAKE_C_COMPILER} -dM -E ${WOLFMQTT_OUTPUT_BASE}/wolfmqtt/options.h > ${SBOM_DEFINES} inside an add_custom_target(... VERBATIM). add_custom_target/add_custom_command do NOT run their COMMAND through a shell, and with VERBATIM every…
Fix: Replace the > ${SBOM_DEFINES} redirection with -o ${SBOM_DEFINES} (gcc/clang support -o with -E), or wrap the compiler invocation in a cmake -P…
| --outfile ${CMAKE_BINARY_DIR}/${SBOM_SPDX_TV} | ||
|
|
||
| # Remove transient artifacts; keep only the three SBOM files. | ||
| COMMAND ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING} |
There was a problem hiding this comment.
🟠 [Medium] CMake sbom target uses cmake -E rm which requires CMake 3.17 but project minimum is 3.16
The cleanup steps use ${CMAKE_COMMAND} -E rm -rf ${SBOM_STAGING} and ${CMAKE_COMMAND} -E rm -f ${SBOM_DEFINES}. The cmake -E rm subcommand was introduced in CMake 3.17, but this file declares cmake_minimum_required(VERSION 3.16) (line 22). On a stock CMake 3.16.x the…
Fix: Either use the 3.16-compatible -E remove_directory / -E remove, or raise the SBOM section's requirement to CMake 3.17+ explicitly.
| --supplier "wolfSSL Inc." | ||
| --license-file ${CMAKE_CURRENT_SOURCE_DIR}/LICENSE | ||
| --options-h ${SBOM_DEFINES} | ||
| --lib ${SBOM_STAGING}/usr/local/lib/libwolfmqtt.so |
There was a problem hiding this comment.
🟠 [Medium] CMake sbom target hardcodes libwolfmqtt.so, breaking static / macOS / Windows builds
The gen-sbom invocation passes --lib ${SBOM_STAGING}/usr/local/lib/libwolfmqtt.so with a hardcoded .so name. If the build is configured with -DBUILD_SHARED_LIBS=OFF (option is exposed at line 38), the installed artifact is libwolfmqtt.a and this path does not exist, so…
Fix: Resolve the artifact name from the actual target/platform instead of hardcoding .so, matching the multi-extension behavior of the autotools recipe.
|
|
||
| ```bash | ||
| # Installed wolfSSL | ||
| ./configure --with-wolfssl=/path/to/wolfssl/install |
There was a problem hiding this comment.
🟠 [Medium] New Linux build doc recommends non-existent autotools flags --with-wolfssl / --with-wolfssl-tree
The 'TLS configuration' section tells users to run ./configure --with-wolfssl=/path/to/wolfssl/install and ./configure --with-wolfssl-tree=/path/to/wolfssl. wolfMQTT's configure.ac only defines --with-libwolfssl-prefix (configure.ac:84-85); there is no --with-wolfssl or…
Fix: Correct the autotools example to --with-libwolfssl-prefix=PATH (there is no source-tree autotools flag), keeping -DWITH_WOLFSSL / -DWITH_WOLFSSL_TREE…
| ## About wolfMQTT | ||
|
|
||
| ## Overview | ||
| wolfMQTT is a lightweight MQTT client library for embedded systems, written in portable ANSI C. It supports MQTT v3.1.1, v5.0, and MQTT-SN for sensor networks over constrained transports. It includes a lightweight embedded broker. Optional TLS is provided via wolfSSL. wolfMQTT is dual-licensed under GPLv2 and a commercial license. |
There was a problem hiding this comment.
🟠 [Medium] AGENTS.md states GPLv2, contradicting the GPLv3-or-later licensing used everywhere else (including this PR)
The rewritten AGENTS.md 'About' section says 'wolfMQTT is dual-licensed under GPLv2 and a commercial license.' The actual license is GPLv3-or-later: wolfmqtt/version.h and every source header say 'either version 3 of the License, or (at your option) any later version', and this…
Fix: Change 'GPLv2' to 'GPLv3 (or later)' to match version.h, the source headers, and the SBOM license override.
| echo "::notice::gen-sbom on this ref has no --dep-wolfssl; the wolfssl dependency + name-derived identity assertions will be skipped." | ||
| fi | ||
|
|
||
| - name: Configure and build wolfmqtt |
There was a problem hiding this comment.
🟠 [Medium] New CMake sbom target has no CI coverage
The new sbom.yml workflow exercises only the autotools make sbom path. The equally new CMake sbom custom target (CMakeLists.txt:507-543) is never configured or built in CI. Had it been, the redirection bug and the cmake -E rm 3.17 issue above would have been caught before…
Fix: Add a CMake SBOM job to the workflow so the CMake target is actually built and validated.
| # Staging dir for `cmake --install` so gen-sbom hashes the as-installed | ||
| # libwolfmqtt.so without polluting the system or requiring root. | ||
| set(SBOM_STAGING "${CMAKE_BINARY_DIR}/_sbom_staging") | ||
| # Pre-processed macro dump fed to gen-sbom via --options-h. `cc -dM -E` on the |
There was a problem hiding this comment.
🔵 [Low] CMake and autotools feed different inputs to gen-sbom --options-h, undercutting the 'byte-comparable SBOM' claim
The CMake target passes --options-h ${SBOM_DEFINES}, where SBOM_DEFINES is the output of cc -dM -E options.h — i.e. the full macro set including all compiler-builtin defines (__GNUC__, __SIZEOF_*, etc.) plus the options.h contents. The autotools build for wolfMQTT…
Fix: Confirm what gen-sbom does with --options-h; if it does not filter, feed the same raw options.h both build systems use, or soften the 'byte-comparable' claim…
| on: | ||
| push: | ||
| branches: [ 'master', 'main', 'release/**' ] | ||
| pull_request: |
There was a problem hiding this comment.
🔵 [Low] pull_request branches filter '*' misses slash-containing base branches
The push trigger targets [ 'master', 'main', 'release/**' ], but the pull_request trigger uses branches: [ '*' ]. The single-asterisk glob matches only base branch names without a /, so PRs targeting a release/** base branch would not trigger this workflow, inconsistent…
Fix: Use '**' to also match slash-containing base branches, matching the push trigger's intent.
embhorn
left a comment
There was a problem hiding this comment.
Hi @MarkAtwood
Very cool! I was able to generate the SBOM files.
Please review the skoll comments and then it should be ready.
## Document Information
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: wolfmqtt-2.0.0
DocumentNamespace: urn:uuid:d3437452-0edc-5202-a2e4-3089e486b663
## Creation Information
Creator: Organization: wolfSSL Inc.
Creator: Tool: wolfssl-sbom-gen-1.2
Created: 2026-07-10T10:15:17Z
## Package Information
PackageName: wolfmqtt
SPDXID: SPDXRef-Package-wolfmqtt
PackageVersion: 2.0.0
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfmqtt
FilesAnalyzed: false
PackageChecksum: SHA256: d6a8b093aba36f2e1abb6c2ed429df9ed113e4dea493ac21764ccfb99ad9d4ef
PackageLicenseConcluded: GPL-3.0-or-later
PackageLicenseDeclared: GPL-3.0-or-later
PackageCopyrightText: Copyright (C) 2006-2026 wolfSSL Inc.
PackageComment: Build configuration defines: ENABLE_MQTT_TLS, SIZEOF_LONG, WOLFMQTT_BROKER, WOLFMQTT_DISCONNECT_CB, WOLFMQTT_MAX_QOS, WOLFMQTT_PROPERTY_CB, WOLFMQTT_V5
ExternalRef: SECURITY cpe23Type cpe:2.3:a:wolfssl:wolfmqtt:2.0.0:*:*:*:*:*:*:*
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfmqtt@v2.0.0
ExternalRef: SECURITY advisory https://github.com/wolfSSL/wolfmqtt/security/advisories
## Package Information
PackageName: wolfssl
SPDXID: SPDXRef-Package-wolfssl
PackageVersion: 5.9.2
PackageSupplier: Organization: wolfSSL Inc.
PackageDownloadLocation: https://github.com/wolfSSL/wolfssl
FilesAnalyzed: false
PackageLicenseConcluded: GPL-3.0-only
PackageLicenseDeclared: GPL-3.0-only
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:github/wolfSSL/wolfssl@v5.9.2
## Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-wolfmqtt
Relationship: SPDXRef-Package-wolfmqtt DEPENDS_ON SPDXRef-Package-wolfssl
## Annotations
Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-kind=library-binary
Annotator: Tool: wolfssl-sbom-gen-1.2
AnnotationDate: 2026-07-10T10:15:17Z
AnnotationType: OTHER
SPDXREF: SPDXRef-Package-wolfmqtt
AnnotationComment: wolfssl:sbom:hash-source=lib
Summary
Adds
make sbom,make install-sbom, andmake uninstall-sbomtargets to the autotools build..sofor hashingcc -dM -Efor the options snapshotgen-sbom(from wolfsslscripts/gen-sbom) to produce CycloneDX and SPDX outputspyspdxtoolsUsage
```sh
./configure --with-wolfssl=/path/to/wolfssl/install
make
make sbom WOLFSSL_DIR=/path/to/wolfssl/source
```
Outputs:
wolfmqtt-<version>.cdx.json,wolfmqtt-<version>.spdx.json,wolfmqtt-<version>.spdxRequirements
WOLFSSL_DIRmust point to a wolfssl source tree containingscripts/gen-sbom(available on thefeat/sbom-embeddedbranch of wolfssl)python3andpip install spdx-toolson the build hostTest plan
./configure --with-wolfssl=... && make && make sbom WOLFSSL_DIR=...pyspdxtools --infile wolfmqtt-*.spdx.jsonpasses validationCMake support
The same SBOM workflow is available for cmake builds via a
sbomcustom target.cmake -B build -DWOLFSSL_DIR=/path/to/wolfssl/source . cmake --build build cmake --build build --target sbomThe cmake target mirrors the autotools one:
wolfmqtt/version.h(notproject(VERSION)) so both build systems emit the same version.cmake --installto hash the installedlibwolfmqtt.so.cc -dM -Eon the generatedoptions.h.pyspdxtools.WOLFSSL_DIR,python3, andpyspdxtoolsare checked at configure time (fatal error if missing) so problems surface before building.Outputs (in the build directory):
wolfmqtt-<version>.cdx.json,wolfmqtt-<version>.spdx.json,wolfmqtt-<version>.spdx