From 21b855842e93b4f13c6ebf6f63e89b219d8a1bae Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Mon, 22 Jun 2026 18:39:12 -0700 Subject: [PATCH 1/2] feat: add make sbom target Adds sbom, install-sbom, and uninstall-sbom targets. Runs gen-sbom to produce CDX and SPDX outputs. Requires WOLFSSL_DIR pointing to a wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom). --- Makefile.am | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 22 +++++++++++++++- 2 files changed, 92 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index d5db195d5..aadfedb66 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,3 +79,74 @@ merge-clean: @find ./ | $(GREP) \.OTHER | xargs rm -f @find ./ | $(GREP) \.BASE | xargs rm -f @find ./ | $(GREP) \~$$ | xargs rm -f + +# SBOM generation (CRA compliance) +SBOM_CDX = wolfssh-$(PACKAGE_VERSION).cdx.json +SBOM_SPDX = wolfssh-$(PACKAGE_VERSION).spdx.json +SBOM_SPDX_TV = wolfssh-$(PACKAGE_VERSION).spdx +sbomdir = $(datadir)/doc/$(PACKAGE) + +.PHONY: sbom install-sbom uninstall-sbom + +sbom: + @if test -z "$(PYTHON3)"; then \ + echo ""; \ + echo "ERROR: 'python3' not found in PATH. Cannot generate SBOM."; \ + echo ""; \ + exit 1; \ + fi + @if test -z "$(PYSPDXTOOLS)"; then \ + echo ""; \ + echo "ERROR: 'pyspdxtools' not found in PATH. Cannot validate SBOM."; \ + echo " Install: pip install spdx-tools"; \ + echo ""; \ + exit 1; \ + fi + @if test -z "$(WOLFSSL_DIR)"; then \ + echo ""; \ + echo "ERROR: WOLFSSL_DIR is not set. Cannot locate gen-sbom."; \ + echo " Re-run: make sbom WOLFSSL_DIR=/path/to/wolfssl"; \ + echo ""; \ + exit 1; \ + fi + @if test ! -f "$(WOLFSSL_DIR)/scripts/gen-sbom"; then \ + echo ""; \ + echo "ERROR: $(WOLFSSL_DIR)/scripts/gen-sbom not found."; \ + echo " Use a wolfSSL tree that includes SBOM support."; \ + echo ""; \ + exit 1; \ + fi + rm -rf $(abs_builddir)/_sbom_staging $(abs_builddir)/_sbom_defines.h + $(MAKE) install DESTDIR=$(abs_builddir)/_sbom_staging + $(CC) -dM -E -I$(srcdir) $(CPPFLAGS) -x c /dev/null \ + > $(abs_builddir)/_sbom_defines.h + @set -e; \ + _so=$$(ls $(abs_builddir)/_sbom_staging$(libdir)/libwolfssh.so.[0-9]*.[0-9]*.[0-9]* 2>/dev/null | head -1); \ + test -n "$$_so" || { echo "ERROR: libwolfssh.so not found in staging dir" >&2; exit 1; }; \ + $(PYTHON3) $(WOLFSSL_DIR)/scripts/gen-sbom \ + --name wolfssh \ + --version $(PACKAGE_VERSION) \ + --supplier "wolfSSL Inc." \ + --license-file $(srcdir)/LICENSING \ + --options-h $(abs_builddir)/_sbom_defines.h \ + --lib "$$_so" \ + $(if $(SBOM_LICENSE_OVERRIDE),--license-override $(SBOM_LICENSE_OVERRIDE)) \ + $(if $(SBOM_LICENSE_TEXT),--license-text $(SBOM_LICENSE_TEXT)) \ + --cdx-out $(abs_builddir)/$(SBOM_CDX) \ + --spdx-out $(abs_builddir)/$(SBOM_SPDX) + rm -rf $(abs_builddir)/_sbom_staging $(abs_builddir)/_sbom_defines.h + $(PYSPDXTOOLS) --infile $(abs_builddir)/$(SBOM_SPDX) \ + --outfile $(abs_builddir)/$(SBOM_SPDX_TV) + +install-sbom: sbom + $(MKDIR_P) $(DESTDIR)$(sbomdir) + $(INSTALL_DATA) $(SBOM_CDX) $(DESTDIR)$(sbomdir)/ + $(INSTALL_DATA) $(SBOM_SPDX) $(DESTDIR)$(sbomdir)/ + $(INSTALL_DATA) $(SBOM_SPDX_TV) $(DESTDIR)$(sbomdir)/ + +uninstall-sbom: + -rm -f $(DESTDIR)$(sbomdir)/$(SBOM_CDX) + -rm -f $(DESTDIR)$(sbomdir)/$(SBOM_SPDX) + -rm -f $(DESTDIR)$(sbomdir)/$(SBOM_SPDX_TV) + +CLEANFILES = $(SBOM_CDX) $(SBOM_SPDX) $(SBOM_SPDX_TV) diff --git a/configure.ac b/configure.ac index 4aab10756..8810aac3f 100644 --- a/configure.ac +++ b/configure.ac @@ -18,7 +18,21 @@ AC_ARG_PROGRAM AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h]) -WOLFSSH_LIBRARY_VERSION=20:0:2 +# The three numbers in the libwolfssh.so.*.*.* file name. + +# increment if interfaces have been removed or changed +WOLFSSH_LIBRARY_VERSION_FIRST=20 + +# increment if interfaces have been added +# set to zero if WOLFSSH_LIBRARY_VERSION_FIRST is incremented +WOLFSSH_LIBRARY_VERSION_SECOND=0 + +# increment if source code has changed +# set to zero if WOLFSSH_LIBRARY_VERSION_FIRST is incremented or +# WOLFSSH_LIBRARY_VERSION_SECOND is incremented +WOLFSSH_LIBRARY_VERSION_THIRD=2 + +WOLFSSH_LIBRARY_VERSION=${WOLFSSH_LIBRARY_VERSION_FIRST}:${WOLFSSH_LIBRARY_VERSION_SECOND}:${WOLFSSH_LIBRARY_VERSION_THIRD} # | | | # +-----+ | +----+ # | | | @@ -32,6 +46,9 @@ WOLFSSH_LIBRARY_VERSION=20:0:2 # +- increment if interfaces have been added, removed # or changed AC_SUBST([WOLFSSH_LIBRARY_VERSION]) +AC_SUBST([WOLFSSH_LIBRARY_VERSION_FIRST]) +AC_SUBST([WOLFSSH_LIBRARY_VERSION_SECOND]) +AC_SUBST([WOLFSSH_LIBRARY_VERSION_THIRD]) LT_PREREQ([2.4.3]) LT_INIT([disable-static win32-dll]) @@ -309,6 +326,9 @@ AC_SUBST([AM_CPPFLAGS]) AC_SUBST([AM_CFLAGS]) AC_SUBST([AM_LDFLAGS]) +AC_PATH_PROG([PYTHON3], [python3]) +AC_PATH_PROG([PYSPDXTOOLS], [pyspdxtools]) + # FINAL AC_CONFIG_FILES([Makefile wolfssh/version.h]) From 3af6d629b857277514ccddf7eb2a4d5b38471b40 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Tue, 23 Jun 2026 17:42:01 -0700 Subject: [PATCH 2/2] docs: add SBOM/EU CRA Compliance section to README and build docs --- README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/README.md b/README.md index 554f1298f..972dffb84 100644 --- a/README.md +++ b/README.md @@ -627,3 +627,25 @@ WOLFSSH APPLICATIONS wolfSSH comes with a server daemon and a command line shell tool. Check out the apps directory for more information. + +## SBOM / EU CRA Compliance + +wolfSSH generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and +SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA). + +```sh +make sbom WOLFSSL_DIR=/path/to/wolfssl +``` + +Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). `WOLFSSL_DIR` +must point to a wolfssl source tree containing `scripts/gen-sbom` (branch +`feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges). + +Output: `wolfssh-.cdx.json`, `wolfssh-.spdx.json`, `wolfssh-.spdx` + +```sh +make install-sbom # installs to $(datadir)/doc/wolfssh/ +make uninstall-sbom +``` + +For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md).