From a6e3b912ab50b7d18fac3a2ca2ac12dbe774f862 Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 14:37:05 +0200
Subject: [PATCH 1/4] add package verification code
---
cmake/sbom.cmake | 29 +++++++++++++++++++++--------
1 file changed, 21 insertions(+), 8 deletions(-)
diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake
index 27d3fc5..08d455b 100644
--- a/cmake/sbom.cmake
+++ b/cmake/sbom.cmake
@@ -175,12 +175,14 @@ function(sbom_generate)
install(
CODE "
message(STATUS \"Installing: ${SBOM_GENERATE_OUTPUT}\")
- file(WRITE \"${SBOM_GENERATE_OUTPUT}\" \"\")
+ file(WRITE \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\")
"
)
+ file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/sbom)
+
if("${SBOM_GENERATE_INPUT}" STREQUAL "")
- set(_f "${CMAKE_CURRENT_BINARY_DIR}/SPDXRef-DOCUMENT.cmake")
+ set(_f "${CMAKE_CURRENT_BINARY_DIR}/SPDXRef-DOCUMENT.spdx.in")
get_filename_component(doc_name "${SBOM_GENERATE_OUTPUT}" NAME_WE)
@@ -225,6 +227,7 @@ PackageLicenseDeclared: ${SBOM_GENERATE_LICENSE}
PackageCopyrightText: ${SBOM_GENERATE_COPYRIGHT}
PackageHomePage: ${SBOM_GENERATE_SUPPLIER_URL}
PackageComment: Built by CMake ${CMAKE_VERSION} with ${CMAKE_BUILD_TYPE} configuration for ${CMAKE_SYSTEM_NAME} (${CMAKE_SYSTEM_PROCESSOR})
+PackageVerificationCode: \${SBOM_VERIFICATION_CODE}
BuiltDate: ${NOW_UTC}
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
"
@@ -233,7 +236,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
install(
CODE "
file(READ \"${_f}\" _f_contents)
- file(APPEND \"${SBOM_GENERATE_OUTPUT}\" \"\${_f_contents}\")
+ file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\${_f_contents}\")
"
)
@@ -254,7 +257,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
install(
CODE "
file(READ \"${_f_in_gen}\" _f_contents)
- file(APPEND \"${SBOM_GENERATE_OUTPUT}\" \"\${_f_contents}\")
+ file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\${_f_contents}\")
"
)
endforeach()
@@ -265,11 +268,12 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
)
endif()
+ install(CODE "set(SBOM_VERIFICATION_CODES)")
+
set_property(GLOBAL PROPERTY sbom_filename "${SBOM_GENERATE_OUTPUT}")
set_property(GLOBAL PROPERTY sbom_project "${SBOM_GENERATE_PROJECT}")
set_property(GLOBAL PROPERTY sbom_spdxids 0)
- file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/sbom)
file(WRITE ${PROJECT_BINARY_DIR}/sbom/CMakeLists.txt "")
endfunction()
@@ -287,6 +291,13 @@ function(sbom_finalize)
file(
WRITE ${PROJECT_BINARY_DIR}/sbom/verify.cmake
"
+ message(STATUS \"Finalizing: ${_sbom}\")
+ list(SORT SBOM_VERIFICATION_CODES)
+ string(REPLACE \";\" \"\" SBOM_VERIFICATION_CODES \"\${SBOM_VERIFICATION_CODES}\")
+ file(WRITE \"${PROJECT_BINARY_DIR}/sbom/verification.txt\" \"\${SBOM_VERIFICATION_CODES}\")
+ file(SHA1 \"${PROJECT_BINARY_DIR}/sbom/verification.txt\" SBOM_VERIFICATION_CODE)
+ configure_file(\"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"${_sbom}\")
+
message(STATUS \"Verifying: ${_sbom}\")
execute_process(
COMMAND ${Python3_EXECUTABLE} -m spdx_tools.spdx.clitools.pyspdxtools
@@ -365,7 +376,8 @@ function(sbom_file)
endif()
else()
file(SHA1 ${CMAKE_INSTALL_PREFIX}/${SBOM_FILE_FILENAME} _sha1)
- file(APPEND \"${_sbom}\"
+ list(APPEND SBOM_VERIFICATION_CODES \${_sha1})
+ file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
\"
FileName: ./${SBOM_FILE_FILENAME}
SPDXID: ${SBOM_FILE_SPDXID}
@@ -467,7 +479,8 @@ function(sbom_directory)
set(_count 0)
foreach(_f IN LISTS _files)
file(SHA1 \"${CMAKE_INSTALL_PREFIX}/\${_f}\" _sha1)
- file(APPEND \"${_sbom}\"
+ list(APPEND SBOM_VERIFICATION_CODES \${_sha1})
+ file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
\"
FileName: ./\${_f}
SPDXID: ${SBOM_DIRECTORY_SPDXID}-\${_count}
@@ -565,7 +578,7 @@ ExternalRef: ${_ref}"
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${SBOM_PACKAGE_SPDXID}.cmake
CONTENT
"
- file(APPEND \"${_sbom}\"
+ file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
\"
PackageName: ${SBOM_PACKAGE_PACKAGE}
SPDXID: ${SBOM_PACKAGE_SPDXID}
From a5f8a89965ceaa7ee1fc3e92cadc51f19576144a Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 14:54:39 +0200
Subject: [PATCH 2/4] make NTIA compliant
---
.cmake-format | 1 +
README.rst | 4 ++++
cmake/sbom.cmake | 15 ++++++++++-----
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/.cmake-format b/.cmake-format
index 8b21c39..de57c0d 100644
--- a/.cmake-format
+++ b/.cmake-format
@@ -37,6 +37,7 @@ parse:
DOWNLOAD_LOCATION: 1
RELATIONSHIP: 1
SPDXID: 1
+ SUPPLIER: 1
sbom_add:
kwargs:
FILENAME: 1
diff --git a/README.rst b/README.rst
index 055665c..22eb57a 100644
--- a/README.rst
+++ b/README.rst
@@ -247,6 +247,7 @@ Add something to the SBOM.
[LICENSE ]
[RELATIONSHIP ]
[SPDXID ]
+ [SUPPLIER ]
[VERSION ]
)
@@ -267,6 +268,9 @@ Add something to the SBOM.
License of the package.
Defaults to ``NOASSERTION`` when not specified.
+``SUPPLIER``
+ Package supplier, which can be ``Person: name (email)``, or ``Organization: name (email)``.
+
``VERSION``
Version of the package.
diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake
index 08d455b..67f815e 100644
--- a/cmake/sbom.cmake
+++ b/cmake/sbom.cmake
@@ -208,6 +208,7 @@ PackageDownloadLocation: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
+PackageSupplier: Organization: Anonymous
FilesAnalyzed: false
PackageSummary: The compiler as identified by CMake, running on ${CMAKE_HOST_SYSTEM_NAME} (${CMAKE_HOST_SYSTEM_PROCESSOR})
PrimaryPackagePurpose: APPLICATION
@@ -508,7 +509,7 @@ endfunction()
# Append a package (without files) to the SBOM. Use this after calling sbom_generate().
function(sbom_package)
set(options)
- set(oneValueArgs PACKAGE VERSION LICENSE DOWNLOAD_LOCATION RELATIONSHIP SPDXID)
+ set(oneValueArgs PACKAGE VERSION LICENSE DOWNLOAD_LOCATION RELATIONSHIP SPDXID SUPPLIER)
set(multiValueArgs EXTREF)
cmake_parse_arguments(
SBOM_PACKAGE "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN}
@@ -534,10 +535,12 @@ function(sbom_package)
set(_fields)
- if(NOT "${SBOM_PACKAGE_VERSION}" STREQUAL "")
- set(_fields "${_fields}
-PackageVersion: ${SBOM_PACKAGE_VERSION}"
- )
+ if("${SBOM_PACKAGE_VERSION}" STREQUAL "")
+ set(SBOM_PACKAGE_VERSION "unknown")
+ endif()
+
+ if("${SBOM_PACKAGE_SUPPLIER}" STREQUAL "")
+ set(SBOM_PACKAGE_SUPPLIER "Person: Anonymous")
endif()
if(NOT "${SBOM_PACKAGE_LICENSE}" STREQUAL "")
@@ -586,6 +589,8 @@ ExternalRef: SECURITY cpe23Type ${SBOM_CPE}
PackageDownloadLocation: ${SBOM_PACKAGE_DOWNLOAD_LOCATION}
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
+PackageVersion: ${SBOM_PACKAGE_VERSION}
+PackageSupplier: ${SBOM_PACKAGE_SUPPLIER}
FilesAnalyzed: false${_fields}
Relationship: ${SBOM_PACKAGE_RELATIONSHIP}
Relationship: ${SBOM_PACKAGE_SPDXID} CONTAINS NOASSERTION
From b633e4f6716b9d703d3eb1826ab9143bbb7ad482 Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 14:59:37 +0200
Subject: [PATCH 3/4] prepare release
---
CHANGELOG.rst | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 7a0db4d..265bfa8 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -20,6 +20,18 @@ The format is based on `Keep a Changelog`_, and this project adheres to `Semanti
`Unreleased`_
-------------
+Added
+`````
+
+...
+
+.. _Unreleased: https://github.com/DEMCON/cmake-sbom/compare/v1.0.0...HEAD
+
+
+
+`1.0.0`_ - 2023-09-27
+---------------------
+
Initial version.
Added
@@ -28,4 +40,4 @@ Added
- Git version extraction.
- SPDX SBOM generation from CMake.
-.. _Unreleased: https://github.com/DEMCON/cmake-sbom
+.. _1.0.0: https://github.com/DEMCON/cmake-sbom/releases/tag/v1.0.0
From 5162ee6c0a23dbef71dee9e69523d0df20207863 Mon Sep 17 00:00:00 2001
From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com>
Date: Wed, 27 Sep 2023 16:07:40 +0200
Subject: [PATCH 4/4] fix tag handling
---
cmake/version.cmake | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmake/version.cmake b/cmake/version.cmake
index 0cb512c..83a749c 100644
--- a/cmake/version.cmake
+++ b/cmake/version.cmake
@@ -193,7 +193,7 @@ function(version_generate)
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)([-+].*)?$" "\\3"
GIT_VERSION_PATCH "${GIT_VERSION}"
)
- string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)([-+].*)?$" "\\4"
+ string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)(([-+].*)?)$" "\\4"
GIT_VERSION_SUFFIX "${GIT_VERSION}"
)
else()