From a6e3b912ab50b7d18fac3a2ca2ac12dbe774f862 Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 14:37:05 +0200
Subject: [PATCH 1/4] add package verification code

---
 cmake/sbom.cmake | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake
index 27d3fc5..08d455b 100644
--- a/cmake/sbom.cmake
+++ b/cmake/sbom.cmake
@@ -175,12 +175,14 @@ function(sbom_generate)
 	install(
 		CODE "
 		message(STATUS \"Installing: ${SBOM_GENERATE_OUTPUT}\")
-		file(WRITE \"${SBOM_GENERATE_OUTPUT}\" \"\")
+		file(WRITE \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\")
 		"
 	)
 
+	file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/sbom)
+
 	if("${SBOM_GENERATE_INPUT}" STREQUAL "")
-		set(_f "${CMAKE_CURRENT_BINARY_DIR}/SPDXRef-DOCUMENT.cmake")
+		set(_f "${CMAKE_CURRENT_BINARY_DIR}/SPDXRef-DOCUMENT.spdx.in")
 
 		get_filename_component(doc_name "${SBOM_GENERATE_OUTPUT}" NAME_WE)
 
@@ -225,6 +227,7 @@ PackageLicenseDeclared: ${SBOM_GENERATE_LICENSE}
 PackageCopyrightText: ${SBOM_GENERATE_COPYRIGHT}
 PackageHomePage: ${SBOM_GENERATE_SUPPLIER_URL}
 PackageComment: <text>Built by CMake ${CMAKE_VERSION} with ${CMAKE_BUILD_TYPE} configuration for ${CMAKE_SYSTEM_NAME} (${CMAKE_SYSTEM_PROCESSOR})</text>
+PackageVerificationCode: \${SBOM_VERIFICATION_CODE}
 BuiltDate: ${NOW_UTC}
 Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
 "
@@ -233,7 +236,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
 		install(
 			CODE "
 				file(READ \"${_f}\" _f_contents)
-				file(APPEND \"${SBOM_GENERATE_OUTPUT}\" \"\${_f_contents}\")
+				file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\${_f_contents}\")
 			"
 		)
 
@@ -254,7 +257,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
 			install(
 				CODE "
 					file(READ \"${_f_in_gen}\" _f_contents)
-					file(APPEND \"${SBOM_GENERATE_OUTPUT}\" \"\${_f_contents}\")
+					file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\${_f_contents}\")
 				"
 			)
 		endforeach()
@@ -265,11 +268,12 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
 		)
 	endif()
 
+	install(CODE "set(SBOM_VERIFICATION_CODES)")
+
 	set_property(GLOBAL PROPERTY sbom_filename "${SBOM_GENERATE_OUTPUT}")
 	set_property(GLOBAL PROPERTY sbom_project "${SBOM_GENERATE_PROJECT}")
 	set_property(GLOBAL PROPERTY sbom_spdxids 0)
 
-	file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/sbom)
 	file(WRITE ${PROJECT_BINARY_DIR}/sbom/CMakeLists.txt "")
 endfunction()
 
@@ -287,6 +291,13 @@ function(sbom_finalize)
 	file(
 		WRITE ${PROJECT_BINARY_DIR}/sbom/verify.cmake
 		"
+		message(STATUS \"Finalizing: ${_sbom}\")
+		list(SORT SBOM_VERIFICATION_CODES)
+		string(REPLACE \";\" \"\" SBOM_VERIFICATION_CODES \"\${SBOM_VERIFICATION_CODES}\")
+		file(WRITE \"${PROJECT_BINARY_DIR}/sbom/verification.txt\" \"\${SBOM_VERIFICATION_CODES}\")
+		file(SHA1 \"${PROJECT_BINARY_DIR}/sbom/verification.txt\" SBOM_VERIFICATION_CODE)
+		configure_file(\"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"${_sbom}\")
+
 		message(STATUS \"Verifying: ${_sbom}\")
 		execute_process(
 			COMMAND ${Python3_EXECUTABLE} -m spdx_tools.spdx.clitools.pyspdxtools
@@ -365,7 +376,8 @@ function(sbom_file)
 				endif()
 			else()
 				file(SHA1 ${CMAKE_INSTALL_PREFIX}/${SBOM_FILE_FILENAME} _sha1)
-				file(APPEND \"${_sbom}\"
+				list(APPEND SBOM_VERIFICATION_CODES \${_sha1})
+				file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
 \"
 FileName: ./${SBOM_FILE_FILENAME}
 SPDXID: ${SBOM_FILE_SPDXID}
@@ -467,7 +479,8 @@ function(sbom_directory)
 			set(_count 0)
 			foreach(_f IN LISTS _files)
 				file(SHA1 \"${CMAKE_INSTALL_PREFIX}/\${_f}\" _sha1)
-				file(APPEND \"${_sbom}\"
+				list(APPEND SBOM_VERIFICATION_CODES \${_sha1})
+				file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
 \"
 FileName: ./\${_f}
 SPDXID: ${SBOM_DIRECTORY_SPDXID}-\${_count}
@@ -565,7 +578,7 @@ ExternalRef: ${_ref}"
 		OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${SBOM_PACKAGE_SPDXID}.cmake
 		CONTENT
 			"
-			file(APPEND \"${_sbom}\"
+			file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
 \"
 PackageName: ${SBOM_PACKAGE_PACKAGE}
 SPDXID: ${SBOM_PACKAGE_SPDXID}

From a5f8a89965ceaa7ee1fc3e92cadc51f19576144a Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 14:54:39 +0200
Subject: [PATCH 2/4] make NTIA compliant

---
 .cmake-format    |  1 +
 README.rst       |  4 ++++
 cmake/sbom.cmake | 15 ++++++++++-----
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/.cmake-format b/.cmake-format
index 8b21c39..de57c0d 100644
--- a/.cmake-format
+++ b/.cmake-format
@@ -37,6 +37,7 @@ parse:
         DOWNLOAD_LOCATION: 1
         RELATIONSHIP: 1
         SPDXID: 1
+        SUPPLIER: 1
     sbom_add:
       kwargs:
         FILENAME: 1
diff --git a/README.rst b/README.rst
index 055665c..22eb57a 100644
--- a/README.rst
+++ b/README.rst
@@ -247,6 +247,7 @@ Add something to the SBOM.
       [LICENSE <string>]
       [RELATIONSHIP <string>]
       [SPDXID <id>]
+      [SUPPLIER <name>]
       [VERSION <version>]
    )
 
@@ -267,6 +268,9 @@ Add something to the SBOM.
    License of the package.
    Defaults to ``NOASSERTION`` when not specified.
 
+``SUPPLIER``
+   Package supplier, which can be ``Person: name (email)``, or ``Organization: name (email)``.
+
 ``VERSION``
    Version of the package.
 
diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake
index 08d455b..67f815e 100644
--- a/cmake/sbom.cmake
+++ b/cmake/sbom.cmake
@@ -208,6 +208,7 @@ PackageDownloadLocation: NOASSERTION
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION
 PackageCopyrightText: NOASSERTION
+PackageSupplier: Organization: Anonymous
 FilesAnalyzed: false
 PackageSummary: <text>The compiler as identified by CMake, running on ${CMAKE_HOST_SYSTEM_NAME} (${CMAKE_HOST_SYSTEM_PROCESSOR})</text>
 PrimaryPackagePurpose: APPLICATION
@@ -508,7 +509,7 @@ endfunction()
 # Append a package (without files) to the SBOM. Use this after calling sbom_generate().
 function(sbom_package)
 	set(options)
-	set(oneValueArgs PACKAGE VERSION LICENSE DOWNLOAD_LOCATION RELATIONSHIP SPDXID)
+	set(oneValueArgs PACKAGE VERSION LICENSE DOWNLOAD_LOCATION RELATIONSHIP SPDXID SUPPLIER)
 	set(multiValueArgs EXTREF)
 	cmake_parse_arguments(
 		SBOM_PACKAGE "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN}
@@ -534,10 +535,12 @@ function(sbom_package)
 
 	set(_fields)
 
-	if(NOT "${SBOM_PACKAGE_VERSION}" STREQUAL "")
-		set(_fields "${_fields}
-PackageVersion: ${SBOM_PACKAGE_VERSION}"
-		)
+	if("${SBOM_PACKAGE_VERSION}" STREQUAL "")
+		set(SBOM_PACKAGE_VERSION "unknown")
+	endif()
+
+	if("${SBOM_PACKAGE_SUPPLIER}" STREQUAL "")
+		set(SBOM_PACKAGE_SUPPLIER "Person: Anonymous")
 	endif()
 
 	if(NOT "${SBOM_PACKAGE_LICENSE}" STREQUAL "")
@@ -586,6 +589,8 @@ ExternalRef: SECURITY cpe23Type ${SBOM_CPE}
 PackageDownloadLocation: ${SBOM_PACKAGE_DOWNLOAD_LOCATION}
 PackageLicenseDeclared: NOASSERTION
 PackageCopyrightText: NOASSERTION
+PackageVersion: ${SBOM_PACKAGE_VERSION}
+PackageSupplier: ${SBOM_PACKAGE_SUPPLIER}
 FilesAnalyzed: false${_fields}
 Relationship: ${SBOM_PACKAGE_RELATIONSHIP}
 Relationship: ${SBOM_PACKAGE_SPDXID} CONTAINS NOASSERTION

From b633e4f6716b9d703d3eb1826ab9143bbb7ad482 Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 14:59:37 +0200
Subject: [PATCH 3/4] prepare release

---
 CHANGELOG.rst | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 7a0db4d..265bfa8 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -20,6 +20,18 @@ The format is based on `Keep a Changelog`_, and this project adheres to `Semanti
 `Unreleased`_
 -------------
 
+Added
+`````
+
+...
+
+.. _Unreleased: https://github.com/DEMCON/cmake-sbom/compare/v1.0.0...HEAD
+
+
+
+`1.0.0`_ - 2023-09-27
+---------------------
+
 Initial version.
 
 Added
@@ -28,4 +40,4 @@ Added
 - Git version extraction.
 - SPDX SBOM generation from CMake.
 
-.. _Unreleased: https://github.com/DEMCON/cmake-sbom
+.. _1.0.0: https://github.com/DEMCON/cmake-sbom/releases/tag/v1.0.0

From 5162ee6c0a23dbef71dee9e69523d0df20207863 Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 16:07:40 +0200
Subject: [PATCH 4/4] fix tag handling

---
 cmake/version.cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake/version.cmake b/cmake/version.cmake
index 0cb512c..83a749c 100644
--- a/cmake/version.cmake
+++ b/cmake/version.cmake
@@ -193,7 +193,7 @@ function(version_generate)
 		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)([-+].*)?$" "\\3"
 				     GIT_VERSION_PATCH "${GIT_VERSION}"
 		)
-		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)([-+].*)?$" "\\4"
+		string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)(([-+].*)?)$" "\\4"
 				     GIT_VERSION_SUFFIX "${GIT_VERSION}"
 		)
 	else()