diff --git a/Makefile.am b/Makefile.am index 3d59dc1..94abf72 100644 --- a/Makefile.am +++ b/Makefile.am @@ -47,3 +47,51 @@ AM_DISTCHECK_CONFIGURE_FLAGS=CPPFLAGS="-I@abs_top_srcdir@/include" --with-openss EXTRA_DIST += README.md \ engine.conf \ ChangeLog.md + +# --------------------------------------------------------------------------- +# SBOM generation (CycloneDX + SPDX) via wolfssl's scripts/gen-sbom +# --------------------------------------------------------------------------- +# Requires WOLFSSL_DIR to point at a wolfssl checkout (for scripts/gen-sbom). +# wolfEngine has no generated options.h of its own; feature flags come from the +# installed wolfssl. WOLFSSL_INCLUDEDIR defaults to $(WOLFSSL_DIR)/include but +# can be overridden if wolfssl's headers live elsewhere. +WOLFSSL_DIR ?= +WOLFSSL_INCLUDEDIR ?= $(WOLFSSL_DIR)/include +PRODUCT = wolfengine +VERSION = $(shell grep -m1 'AC_INIT' $(srcdir)/configure.ac | sed "s/.*\[//;s/\].*//") +GEN_SBOM = $(WOLFSSL_DIR)/scripts/gen-sbom + +SBOM_OUT_DIR = $(builddir) +SBOM_CDX = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).cdx.json +SBOM_SPDX_J = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx.json +SBOM_SPDX_TV = $(SBOM_OUT_DIR)/$(PRODUCT)-$(VERSION).spdx + +.PHONY: sbom install-sbom uninstall-sbom + +sbom: all + @if test -z "$(WOLFSSL_DIR)"; then \ + echo "ERROR: WOLFSSL_DIR not set. Usage: make sbom WOLFSSL_DIR=/path/to/wolfssl"; \ + exit 1; \ + fi + @if test -z "$(PYTHON3)"; then \ + echo "ERROR: python3 not found in PATH."; exit 1; fi + $(MAKE) install DESTDIR=$(abs_builddir)/_sbom_stage + $(PYTHON3) $(GEN_SBOM) \ + --name $(PRODUCT) \ + --version $(VERSION) \ + --supplier "wolfSSL Inc." \ + --options-h $(WOLFSSL_INCLUDEDIR)/wolfssl/options.h \ + --lib `find $(abs_builddir)/_sbom_stage$(libdir) -name 'libwolfengine.so.*.*.*' | head -1` + rm -rf $(abs_builddir)/_sbom_stage + +install-sbom: sbom + $(MKDIR_P) $(DESTDIR)$(datadir)/doc/$(PRODUCT) + $(INSTALL_DATA) $(SBOM_CDX) $(SBOM_SPDX_J) $(SBOM_SPDX_TV) \ + $(DESTDIR)$(datadir)/doc/$(PRODUCT)/ + +uninstall-sbom: + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.cdx.json + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx.json + -rm -f $(DESTDIR)$(datadir)/doc/$(PRODUCT)/$(PRODUCT)-*.spdx + +uninstall-hook: uninstall-sbom diff --git a/README.md b/README.md index 3265a56..f45c65f 100644 --- a/README.md +++ b/README.md @@ -189,6 +189,34 @@ Visual Studio. Example programs using wolfEngine can be found in the `examples/` subdirectory. +## SBOM / EU CRA Compliance + +wolfEngine generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and +SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA). + +```sh +make sbom WOLFSSL_DIR=/path/to/wolfssl +``` + +Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). `WOLFSSL_DIR` +must point to a wolfssl source tree containing `scripts/gen-sbom` (branch +`feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges). + +Output files in the build directory: + +| File | Format | +|------|--------| +| `wolfengine-1.4.0.cdx.json` | CycloneDX 1.6 | +| `wolfengine-1.4.0.spdx.json` | SPDX 2.3 JSON | +| `wolfengine-1.4.0.spdx` | SPDX 2.3 tag-value | + +```sh +make install-sbom # installs to $(datadir)/doc/wolfengine/ +make uninstall-sbom +``` + +For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md). + ## Need Help? Please reach out to support@wolfssl.com for technical support. If you're diff --git a/configure.ac b/configure.ac index 7fe83a6..baaa242 100644 --- a/configure.ac +++ b/configure.ac @@ -721,6 +721,10 @@ AC_SUBST([AM_CPPFLAGS]) AC_SUBST([AM_CFLAGS]) AC_SUBST([AM_LDFLAGS]) +# SBOM generation tools +AC_CHECK_PROG([PYTHON3], [python3], [python3]) +AC_CHECK_PROG([PYSPDXTOOLS], [pyspdxtools], [pyspdxtools]) + AC_CONFIG_FILES([Makefile rpm/spec]) AC_OUTPUT