feat(cra-kit): add cmake mode and embedded srcs-file/no-hash options#577
Open
MarkAtwood wants to merge 27 commits into
Open
feat(cra-kit): add cmake mode and embedded srcs-file/no-hash options#577MarkAtwood wants to merge 27 commits into
MarkAtwood wants to merge 27 commits into
Conversation
Self-contained cra-kit/ with glossary, fictional auditor packet, autotools/embedded SBOM scripts, and CI validation. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Fail early when the wolfSSL tree version differs from the kit's pinned VERSION instead of a cryptic cp error, trap-clean the embedded temp defines file on all exit paths, add sh -n + shellcheck CI coverage for the scripts, and use the standard file:./ relative form in the product SBOM external references. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Quote "$@" in gen-sbom --srcs (drop SC2068 disables), pass JSON paths to python via env var in validate.sh to prevent filename injection, and fail non-zero instead of warning when SBOM post-processing breaks. Rename the user_settings.h guard to CRA_KIT_USER_SETTINGS_H, clarify the serialNumber regex accepts v4 (product) and v5 (component) UUIDs, untrack the gitignored embedded sample SBOMs, document the SHA-512 CBOM omission, and note sample timestamp differences in SAMPLE-PROVENANCE.md. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Plumb CRA_LICENSE_TEXT through generate-wolfssl-sbom.sh (gen-sbom/make sbom hard-fail on a LicenseRef-* override without it); scope the commercial relicense to the wolfssl package only; correct the stale pkg:generic PURL claim; validate the embedded output dir; regenerate pinned samples against gen-sbom 1.1 and re-pin product checksums. Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>
Add CRA_SBOM_MODE=cmake with WOLFSSL_BUILD_DIR for out-of-source builds. Add CRA_SBOM_SRCS_FILE and CRA_SBOM_NO_HASH for embedded path. Update auto-detection order: cmake (WOLFSSL_BUILD_DIR) > autotools > embedded.
Author
|
Waiting on #574 and wolfSSL/wolfssl#10753 to merge before this is ready to land. Review welcome in the meantime. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new wolfSSL CRA Kit (cra-kit/) with documentation, sample “auditor packet” SBOM artifacts, and helper scripts to generate/refresh/validate wolfSSL component SBOMs across autotools, cmake, and embedded workflows.
Changes:
- Introduces the CRA Kit docs, worked examples (product + component SBOMs), and manufacturer-side CRA filing templates.
- Adds SBOM generation/refresh/validation scripts, including cmake mode and embedded options (srcs-file + no-hash).
- Adds a GitHub Actions workflow to validate the CRA Kit auditor packet and shellcheck the scripts.
Reviewed changes
Copilot reviewed 41 out of 41 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Adds top-level mention/entry point for the CRA Kit. |
| cra-kit/wolfssl-inc-auditor-packet/vulnerability-handling-process.md | Documents manufacturer-side vulnerability handling process. |
| cra-kit/wolfssl-inc-auditor-packet/technical-documentation-outline.md | Adds Annex VII technical documentation outline template. |
| cra-kit/wolfssl-inc-auditor-packet/support-period-policy.md | Adds support-period policy statement template. |
| cra-kit/wolfssl-inc-auditor-packet/README.md | Introduces manufacturer-side packet scope and status conventions. |
| cra-kit/wolfssl-inc-auditor-packet/eu-authorised-representative.md | Adds EU AR placeholder and guidance template. |
| cra-kit/wolfssl-inc-auditor-packet/declaration-of-conformity.template.md | Adds declaration of conformity template. |
| cra-kit/wolfssl-inc-auditor-packet/conformity-assessment-route.md | Documents conformity assessment route template. |
| cra-kit/wolfssl-inc-auditor-packet/classification-statement.md | Adds Annex III/IV classification statement template. |
| cra-kit/wolfssl-inc-auditor-packet/ce-marking-statement.md | Adds CE marking statement template. |
| cra-kit/wolfssl-inc-auditor-packet/00-INDEX.md | Index/mapping for manufacturer-side filings. |
| cra-kit/VERSION | Pins wolfSSL version used by samples/scripts. |
| cra-kit/user_settings.h | Provides demo embedded user_settings.h for SBOM generation. |
| cra-kit/SKILL.md | Adds an AI/agent execution playbook for the kit. |
| cra-kit/scripts/validate.sh | Adds validator for sample packet JSON + checksum/hash consistency (optional schema checks). |
| cra-kit/scripts/refresh-samples.sh | Adds sample regeneration + product checksum/hash pinning flow. |
| cra-kit/scripts/make-commercial-sample.sh | Adds derivation of commercial-license override samples from pinned GPL samples. |
| cra-kit/scripts/generate-wolfssl-sbom.sh | Adds main SBOM generator with autotools/cmake/embedded modes + watermarking. |
| cra-kit/scripts/generate-embedded-sbom.sh | Convenience wrapper to force embedded outputs into embedded sample dir. |
| cra-kit/ROADMAP.md | Adds “today vs roadmap” status for supply-chain artifacts. |
| cra-kit/README.md | Adds full CRA Kit documentation and usage guide. |
| cra-kit/presentations/SLIDE-OUTLINE.md | Adds presentation outline aligned with kit deliverables. |
| cra-kit/CRA-Supply-Chain-Glossary.md | Adds CRA + supply-chain glossary/cheat sheet for customers. |
| cra-kit/CRA-Compliance-Shortlist.md | Adds product-level CRA pillar shortlist and structural obligations section. |
| cra-kit/CRA-Cheat-Sheet.md | Adds “who provides what” cheat sheet + integration quick reference. |
| cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx.json | Adds pinned wolfSSL component SPDX JSON sample. |
| cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.spdx | Adds pinned wolfSSL component SPDX tag-value sample. |
| cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.spdx.json | Adds commercial-license override SPDX JSON sample. |
| cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.commercial.cdx.json | Adds commercial-license override CycloneDX JSON sample. |
| cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cdx.json | Adds pinned wolfSSL component CycloneDX JSON sample. |
| cra-kit/auditor-packet/wolfssl-component/wolfssl-5.9.1.cbom-draft.cdx.json | Adds draft CBOM-like CycloneDX cryptographic-asset sample. |
| cra-kit/auditor-packet/wolfssl-component/SAMPLE-PROVENANCE.md | Documents how pinned samples were produced. |
| cra-kit/auditor-packet/wolfssl-component/README-bomsh.md | Documents optional bomsh/OmniBOR inclusion guidance. |
| cra-kit/auditor-packet/wolfssl-component/omnibor.wolfssl-5.9.1.spdx.json.sample | Adds truncated sample of bomsh provenance output shape. |
| cra-kit/auditor-packet/wolfssl-component-embedded/README.md | Documents embedded SBOM scratch output generation. |
| cra-kit/auditor-packet/wolfssl-component-embedded/.gitignore | Gitignores embedded SBOM outputs. |
| cra-kit/auditor-packet/README.md | Introduces the sample auditor packet directory. |
| cra-kit/auditor-packet/product-acme-connect-gateway.spdx.json | Adds product SPDX sample referencing wolfSSL component SPDX. |
| cra-kit/auditor-packet/product-acme-connect-gateway.cdx.json | Adds product CycloneDX sample referencing wolfSSL component CDX. |
| cra-kit/auditor-packet/00-INDEX.md | Index for sample auditor packet contents and regeneration guidance. |
| .github/workflows/cra-kit.yml | Adds CI to run kit validation and shellcheck scripts on CRA Kit changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+202
to
+210
| # Optional caller-supplied source list file (combined with or replacing the demo list). | ||
| _srcs_file_args="" | ||
| if [ -n "${CRA_SBOM_SRCS_FILE:-}" ]; then | ||
| if [ ! -f "$CRA_SBOM_SRCS_FILE" ]; then | ||
| echo "ERROR: CRA_SBOM_SRCS_FILE=$CRA_SBOM_SRCS_FILE not found." >&2 | ||
| exit 1 | ||
| fi | ||
| _srcs_file_args="--srcs-file $CRA_SBOM_SRCS_FILE" | ||
| fi |
Comment on lines
+4
to
+7
| set -eu | ||
|
|
||
| SCRIPT_DIR=$(CDPATH='' cd -- "$(dirname -- "$0")" && pwd) | ||
| KIT_DIR=$(dirname "$SCRIPT_DIR") |
When CRA_SBOM_SRCS_ONLY_FROM_FILE=true no demo srcs are added to $@, so passing --srcs "$@" fed --cdx-out as the first --srcs argument, causing argparse to error. Capture _srcs_flag before output flags are appended; emit it only when positional srcs are present.
cmake -L and -LA both exclude :STATIC (internal) cache entries, so CMAKE_PROJECT_VERSION:STATIC was never matched and the version mismatch check was dead code. Grep CMakeCache.txt directly instead.
…-54c) Makefile (two approaches) and CMake/compile_commands.json examples are tested. Zephyr, ESP-IDF, Keil, and IAR sections are stubs written from schema knowledge — marked unverified, need toolchain owners to validate.
Tested against a live Zephyr 3.7.0 + wolfssl workspace on EC2. compile_commands.json is generated at cmake configure time and contains 89 wolfssl lib sources (wolfcrypt/src/ + src/). Removes the "not tested" warning and adds the -DZEPHYR_EXTRA_MODULES flag.
Adds _auto_extract_srcs() to generate-wolfssl-sbom.sh. When CRA_SBOM_SRCS_FILE is not set, the embedded path now tries four methods in order: 1. compile_commands.json (CMake/Zephyr/ESP-IDF) via jq — triggered when WOLFSSL_BUILD_DIR is set; detects ESP-IDF managed_components layout automatically. 2. Makefile via CRA_SBOM_MAKEFILE_DIR — tries print-wolfssl-srcs target first, falls back to make -n grep. 3. Keil .uvprojx via CRA_SBOM_KEIL_PROJECT — handles both CMSIS Pack RTE and explicit FilePath layouts. 4. IAR .ewp via CRA_SBOM_IAR_PROJECT — resolves $PROJ_DIR$, skips excluded entries. All methods set CRA_SBOM_SRCS_ONLY_FROM_FILE=true automatically so the demo watermark is suppressed. Temp files are collected into a single global trap. SRCS-FILE-HOWTO.md gains an Automatic extraction subsection for each build system.
Makefile: add --no-print-directory to suppress make's Entering/Leaving directory banners, which leaked into the source list when the Makefile directory path contained "wolfssl". Keil CMSIS Pack: when the wolfSSL pack .pdsc is not installed locally (~/.arm/Packs/wolfSSL/), fall back to enumerating wolfcrypt/src/*.c and src/*.c from WOLFSSL_DIR. The full library is what the pack ships.
Generate auditor-ready SBOM packages for wolfSSH, wolfTPM, wolfMQTT, wolfHSM, wolfsentry, and wolfBoot. Each script mirrors the wolfssl SBOM workflow.
Wire in shared _cra-sbom-extract.sh for Keil/IAR/Makefile/compile_commands.json source extraction. NO_HASH deferred to SBOM-cgz (gen-sbom lacks --no-artifact-hash).
…srcs in wolftpm cmake+embedded modes
…fhsm-sbom.sh Fix broken --srcs-file call (gen-sbom only supports positional --srcs). NO_HASH deferred to SBOM-cgz.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR extends the CRA Kit in two major ways:
1. Embedded SBOM mode (existing)
--mode embeddedflag forgenerate-wolfssl-sbom.sh: hashes source files instead of the installed libraryCRA_SBOM_NO_HASH=trueoption for customers who cannot share source listsCRA_SBOM_SRCS_FILEto supply a pre-built source list2. Auto-extraction of wolfSSL sources (new in this PR)
Four build-system auto-extraction methods, all requiring no
CRA_SBOM_SRCS_FILE:print-wolfssl-srcstarget or falls back tomake -ndry-run (CRA_SBOM_MAKEFILE_DIR)compile_commands.json(WOLFSSL_BUILD_DIR).uvprojx; CMSIS Pack or explicit FilePath (CRA_SBOM_KEIL_PROJECT).ewp, resolves$PROJ_DIR$(CRA_SBOM_IAR_PROJECT)All four methods verified end-to-end on EC2 (Ubuntu 24.04).
3. CRA Kit scripts for 6 additional wolfSSL products (new in this PR)
Standalone SBOM generation scripts for each product, following the same auditor-packet layout as the wolfssl script:
generate-wolfssh-sbom.shCRA_SBOM_MODE=embeddedhashessrc/*.c;CRA_SBOM_SRCS_FILEorcompile_commands.jsonoverridegenerate-wolftpm-sbom.shCRA_SBOM_MODE=embeddedhashes core + one HAL (CRA_TPM_HAL=st|espressif|...); host-only transports excludedgenerate-wolfmqtt-sbom.shCRA_SBOM_MODE=embeddedhashessrc/mqtt_*.c;CRA_SBOM_SRCS_FILEorcompile_commands.jsonoverridegenerate-wolfhsm-sbom.shWOLFSSL_DIR,WOLFHSM_DIRgenerate-wolfsentry-sbom.shGEN_SBOMorWOLFSSL_DIRgenerate-wolfboot-sbom.shmake -nfor source listEmbedded mode for wolfSSH/wolfTPM/wolfMQTT: wolfcrypt/wolfssl sources are intentionally excluded — they are covered by a separate
generate-wolfssl-sbom.shrun and referenced as a dependency component.For wolfTPM embedded,
CRA_TPM_HALselects exactly onehal/tpm_io_<platform>.cto include. Omitting it produces a warning and excludes the HAL (safe default — wrong HAL = wrong SBOM).All 6 scripts verified with
make sbomend-to-end on EC2. Embedded mode for wolfSSH (12 srcs), wolfTPM (12 srcs + HAL), wolfMQTT (8 srcs) verified locally.4. Documentation
SRCS-FILE-HOWTO.md: complete guide for all 6 build systems including manual and automatic extraction.Zephyr section verified on EC2 (89 sources,
native_simboard).Test plan
generate-wolfssl-sbom.shin embedded mode with each auto-extraction methodgenerate-{product}-sbom.shscripts in autotools mode (EC2)CRA_SBOM_MODE=embeddedpyspdxtools