Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dev #4

Merged
merged 4 commits into from
Sep 27, 2023
Merged

Dev #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a6e3b91
add package verification code
jhrutgers Sep 27, 2023
a5f8a89
make NTIA compliant
jhrutgers Sep 27, 2023
b633e4f
prepare release
jhrutgers Sep 27, 2023
5162ee6
fix tag handling
jhrutgers Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .cmake-format
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ parse:
DOWNLOAD_LOCATION: 1
RELATIONSHIP: 1
SPDXID: 1
SUPPLIER: 1
sbom_add:
kwargs:
FILENAME: 1
Expand Down
14 changes: 13 additions & 1 deletion CHANGELOG.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,18 @@ The format is based on `Keep a Changelog`_, and this project adheres to `Semanti
`Unreleased`_
-------------

Added
`````

...

.. _Unreleased: https:/DEMCON/cmake-sbom/compare/v1.0.0...HEAD



`1.0.0`_ - 2023-09-27
---------------------

Initial version.

Added
Expand All @@ -28,4 +40,4 @@ Added
- Git version extraction.
- SPDX SBOM generation from CMake.

.. _Unreleased: https:/DEMCON/cmake-sbom
.. _1.0.0: https:/DEMCON/cmake-sbom/releases/tag/v1.0.0
4 changes: 4 additions & 0 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,7 @@ Add something to the SBOM.
[LICENSE <string>]
[RELATIONSHIP <string>]
[SPDXID <id>]
[SUPPLIER <name>]
[VERSION <version>]
)

Expand All @@ -267,6 +268,9 @@ Add something to the SBOM.
License of the package.
Defaults to ``NOASSERTION`` when not specified.

``SUPPLIER``
Package supplier, which can be ``Person: name (email)``, or ``Organization: name (email)``.

``VERSION``
Version of the package.

Expand Down
44 changes: 31 additions & 13 deletions cmake/sbom.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,12 +175,14 @@ function(sbom_generate)
install(
CODE "
message(STATUS \"Installing: ${SBOM_GENERATE_OUTPUT}\")
file(WRITE \"${SBOM_GENERATE_OUTPUT}\" \"\")
file(WRITE \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\")
"
)

file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/sbom)

if("${SBOM_GENERATE_INPUT}" STREQUAL "")
set(_f "${CMAKE_CURRENT_BINARY_DIR}/SPDXRef-DOCUMENT.cmake")
set(_f "${CMAKE_CURRENT_BINARY_DIR}/SPDXRef-DOCUMENT.spdx.in")

get_filename_component(doc_name "${SBOM_GENERATE_OUTPUT}" NAME_WE)

Expand All @@ -206,6 +208,7 @@ PackageDownloadLocation: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageSupplier: Organization: Anonymous
FilesAnalyzed: false
PackageSummary: <text>The compiler as identified by CMake, running on ${CMAKE_HOST_SYSTEM_NAME} (${CMAKE_HOST_SYSTEM_PROCESSOR})</text>
PrimaryPackagePurpose: APPLICATION
Expand All @@ -225,6 +228,7 @@ PackageLicenseDeclared: ${SBOM_GENERATE_LICENSE}
PackageCopyrightText: ${SBOM_GENERATE_COPYRIGHT}
PackageHomePage: ${SBOM_GENERATE_SUPPLIER_URL}
PackageComment: <text>Built by CMake ${CMAKE_VERSION} with ${CMAKE_BUILD_TYPE} configuration for ${CMAKE_SYSTEM_NAME} (${CMAKE_SYSTEM_PROCESSOR})</text>
PackageVerificationCode: \${SBOM_VERIFICATION_CODE}
BuiltDate: ${NOW_UTC}
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
"
Expand All @@ -233,7 +237,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
install(
CODE "
file(READ \"${_f}\" _f_contents)
file(APPEND \"${SBOM_GENERATE_OUTPUT}\" \"\${_f_contents}\")
file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\${_f_contents}\")
"
)

Expand All @@ -254,7 +258,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
install(
CODE "
file(READ \"${_f_in_gen}\" _f_contents)
file(APPEND \"${SBOM_GENERATE_OUTPUT}\" \"\${_f_contents}\")
file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"\${_f_contents}\")
"
)
endforeach()
Expand All @@ -265,11 +269,12 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-${SBOM_GENERATE_PROJECT}
)
endif()

install(CODE "set(SBOM_VERIFICATION_CODES)")

set_property(GLOBAL PROPERTY sbom_filename "${SBOM_GENERATE_OUTPUT}")
set_property(GLOBAL PROPERTY sbom_project "${SBOM_GENERATE_PROJECT}")
set_property(GLOBAL PROPERTY sbom_spdxids 0)

file(MAKE_DIRECTORY ${PROJECT_BINARY_DIR}/sbom)
file(WRITE ${PROJECT_BINARY_DIR}/sbom/CMakeLists.txt "")
endfunction()

Expand All @@ -287,6 +292,13 @@ function(sbom_finalize)
file(
WRITE ${PROJECT_BINARY_DIR}/sbom/verify.cmake
"
message(STATUS \"Finalizing: ${_sbom}\")
list(SORT SBOM_VERIFICATION_CODES)
string(REPLACE \";\" \"\" SBOM_VERIFICATION_CODES \"\${SBOM_VERIFICATION_CODES}\")
file(WRITE \"${PROJECT_BINARY_DIR}/sbom/verification.txt\" \"\${SBOM_VERIFICATION_CODES}\")
file(SHA1 \"${PROJECT_BINARY_DIR}/sbom/verification.txt\" SBOM_VERIFICATION_CODE)
configure_file(\"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \"${_sbom}\")

message(STATUS \"Verifying: ${_sbom}\")
execute_process(
COMMAND ${Python3_EXECUTABLE} -m spdx_tools.spdx.clitools.pyspdxtools
Expand Down Expand Up @@ -365,7 +377,8 @@ function(sbom_file)
endif()
else()
file(SHA1 ${CMAKE_INSTALL_PREFIX}/${SBOM_FILE_FILENAME} _sha1)
file(APPEND \"${_sbom}\"
list(APPEND SBOM_VERIFICATION_CODES \${_sha1})
file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
\"
FileName: ./${SBOM_FILE_FILENAME}
SPDXID: ${SBOM_FILE_SPDXID}
Expand Down Expand Up @@ -467,7 +480,8 @@ function(sbom_directory)
set(_count 0)
foreach(_f IN LISTS _files)
file(SHA1 \"${CMAKE_INSTALL_PREFIX}/\${_f}\" _sha1)
file(APPEND \"${_sbom}\"
list(APPEND SBOM_VERIFICATION_CODES \${_sha1})
file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
\"
FileName: ./\${_f}
SPDXID: ${SBOM_DIRECTORY_SPDXID}-\${_count}
Expand Down Expand Up @@ -495,7 +509,7 @@ endfunction()
# Append a package (without files) to the SBOM. Use this after calling sbom_generate().
function(sbom_package)
set(options)
set(oneValueArgs PACKAGE VERSION LICENSE DOWNLOAD_LOCATION RELATIONSHIP SPDXID)
set(oneValueArgs PACKAGE VERSION LICENSE DOWNLOAD_LOCATION RELATIONSHIP SPDXID SUPPLIER)
set(multiValueArgs EXTREF)
cmake_parse_arguments(
SBOM_PACKAGE "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN}
Expand All @@ -521,10 +535,12 @@ function(sbom_package)

set(_fields)

if(NOT "${SBOM_PACKAGE_VERSION}" STREQUAL "")
set(_fields "${_fields}
PackageVersion: ${SBOM_PACKAGE_VERSION}"
)
if("${SBOM_PACKAGE_VERSION}" STREQUAL "")
set(SBOM_PACKAGE_VERSION "unknown")
endif()

if("${SBOM_PACKAGE_SUPPLIER}" STREQUAL "")
set(SBOM_PACKAGE_SUPPLIER "Person: Anonymous")
endif()

if(NOT "${SBOM_PACKAGE_LICENSE}" STREQUAL "")
Expand Down Expand Up @@ -565,14 +581,16 @@ ExternalRef: ${_ref}"
OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${SBOM_PACKAGE_SPDXID}.cmake
CONTENT
"
file(APPEND \"${_sbom}\"
file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\"
\"
PackageName: ${SBOM_PACKAGE_PACKAGE}
SPDXID: ${SBOM_PACKAGE_SPDXID}
ExternalRef: SECURITY cpe23Type ${SBOM_CPE}
PackageDownloadLocation: ${SBOM_PACKAGE_DOWNLOAD_LOCATION}
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageVersion: ${SBOM_PACKAGE_VERSION}
PackageSupplier: ${SBOM_PACKAGE_SUPPLIER}
FilesAnalyzed: false${_fields}
Relationship: ${SBOM_PACKAGE_RELATIONSHIP}
Relationship: ${SBOM_PACKAGE_SPDXID} CONTAINS NOASSERTION
Expand Down
2 changes: 1 addition & 1 deletion cmake/version.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,7 +193,7 @@ function(version_generate)
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)([-+].*)?$" "\\3"
GIT_VERSION_PATCH "${GIT_VERSION}"
)
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)([-+].*)?$" "\\4"
string(REGEX REPLACE "^([0-9]+)\\.([0-9]+)\\.([0-9]+)(([-+].*)?)$" "\\4"
GIT_VERSION_SUFFIX "${GIT_VERSION}"
)
else()
Expand Down