Sbom Options

sithlord48 · Nov 30, 2023 · 0f8a3ed · 0f8a3ed
1 parent 8638f04
commit 0f8a3ed
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 6 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -78,19 +78,19 @@ jobs:
            name: "Linux-x86_64"
            , os: ubuntu-20.04
            , QT_INST_DIR: /opt, Qt_TOOL_PATH: "/opt/Qt/Tools/QtInstallerFramework/4.6"
-           , extraCmakeConfig: "-DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++"
+           , extraCmakeConfig: "-DCMAKE_INSTALL_LIBDIR=lib -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DNTIA_CHECK_SBOM=ON"
           }
         - {
             name: "MacOS"
             , os: macos-latest
             , QT_INST_DIR: /Users/runner, Qt_TOOL_PATH: "/Users/runner/Qt/Tools/QtInstallerFramework/4.6"
-            , extraCmakeConfig: "-DCMAKE_OSX_ARCHITECTURES=\"arm64;x86_64\""
+            , extraCmakeConfig: "-DCMAKE_OSX_ARCHITECTURES=\"arm64;x86_64\" -DNTIA_CHECK_SBOM=ON"
           }
         - {
             name: "Windows-x64"
             , os: windows-2019
             , QT_INST_DIR: "C:", Qt_TOOL_PATH: "C:/Qt/Tools/QtInstallerFramework/4.6"
-            , extraCmakeConfig: "-DZLIB_ROOT=C:/zlib"
+            , extraCmakeConfig: "-DZLIB_ROOT=C:/zlib -DNTIA_CHECK_SBOM=ON"
           }
     steps:
     - uses: actions/checkout@v3
@@ -117,7 +117,8 @@ jobs:
             C:/ProgramData/chocolatey/lib/Graphviz
             C:/Program*/doxygen/
             C:/Program*/Graphviz/
-        key: cache-chocolatey${{ matrix.config.WIN_ARCH }}
+            C:/Python*/
+        key: cache-chocolatey${{ matrix.config.WIN_ARCH }}-zlib-1-3-python312
 
     - name: Setup MSVC Shell For Windows
       if: runner.os == 'Windows'
@@ -130,7 +131,7 @@ jobs:
         if [ "$RUNNER_OS" == "Linux" ]; then
             sudo apt-get update > /dev/null && sudo apt-get install -qqq doxygen graphviz devscripts libxkbcommon-x11-0 ninja-build clang > /dev/null
         elif [ "$RUNNER_OS" == "Windows" ]; then
-            choco install ninja doxygen.install graphviz
+            choco install ninja doxygen.install graphviz python312
         else
             brew install doxygen graphviz ninja
         fi
@@ -156,6 +157,19 @@ jobs:
         echo "C:\zlib\bin\" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
         echo "C:\Program Files\doxygen\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
         echo "C:\Program Files\Graphviz\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+        echo "C:\Python312" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+
+    - name: Update pipx
+      if: (runner.os == 'Windows')
+      shell: bash
+      run: python3 -m pip install --user --upgrade pipx
+
+    - name: Install SPDX Tooling
+      shell: bash
+      run: |
+        pipx install ntia-conformance-checker
+        pipx install spdx-tools
+        pipx install reuse
     - name: Build ff7tk
       run: |
         ${{env.cmakeConfigure}} -DCPACK_PACKAGE_VERSION="${{ needs.precheck.outputs.version }}" -DCPACK_IFW_ROOT=${{matrix.config.Qt_TOOL_PATH}} ${{matrix.config.extraCmakeConfig}}

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -172,5 +172,22 @@ if(NOT TARGET uninstall)
     COMMAND ${CMAKE_COMMAND} -P "${CMAKE_CURRENT_BINARY_DIR}/uninstall.cmake")
 endif()
 
-sbom_finalize(NO_VERIFY)
+option(NTIA_CHECK_SBOM "VERIFY Generated sbom with NTIA Compliance Checker" OFF)
+if (NOT NTIA_CHECK_SBOM)
+    set(NO_VERIFY "NO_VERIFY")
+endif()
+
+option(SBOM_GRAPH "Create a Graph of the Sbom" OFF)
+if(SBOM_GRAPH)
+    set(GRAPH "GRAPH ${CMAKE_CURRENT_BINARY_DIR}/sbom-${CMAKE_PROJECT_NAME}-${CMAKE_PROJECT_VERSION}-spdx.png")
+endif()
+
+sbom_finalize(
+    ${NO_VERIFY}
+    ${GRPAH}
+)
+
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/sbom-${CMAKE_PROJECT_NAME}-${CMAKE_PROJECT_VERSION}.spdx DESTINATION share/ff7tk COMPONENT ff7tk_libraries)
+if(SBOM_GRAPH)
+    install(FILES ${CMAKE_CURRENT_BINARY_DIR}/sbom-${CMAKE_PROJECT_NAME}-${CMAKE_PROJECT_VERSION}-spdx.png DESTINATION share/ff7tk COMPONENT ff7tk_libraries)
+endif()
diff --git a/docs/build.md b/docs/build.md
@@ -36,6 +36,9 @@ UTILS                    | Build ff7tkUtils.                       | ON
 WIDGETS                  | Build ff7tkWidgets.                     | ON                 | |
 SPLITPACKAGES            | Create Split Packages                   | OFF                | |
 CLEAN_TRS                | Remove Obsolete Translation Entries     | OFF                | |
+NTIA_CHECK_SBOM          | Check the generated SBom for NTIA compliance | OFF           | [ntia-conformance-checker] |
+SBOM_GRAPH               | Generate Sbom graph                     | OFF                | [spsx-tools] |
+
 Enabling Demos will allow you to set this additional options all are enabled by default
        Demo              |            Description                  |
 :-----------------------:|:---------------------------------------:|
@@ -113,8 +116,14 @@ You can use FF7Tk::translationList to get a QMap<QString, QTranslation*> of all
   - ff7tkUtils
     -- QtGui, ZLib
 
+### Sbom Generation
+ A Software Bill Of Materials will be generated and installed into share/ff7tk
+ The SBOM is generated at install time and does not require any additional software on the build system
+ Generating a graph or verifing the sbom is ntia compliant requires additonal software see the option table above.
 
 [Qt]:https://www.qt.io
 [doxygen]:http://www.stack.nl/~dimitri/doxygen/
 [cmake]:https://cmake.org/
 [zlib]:https://zlib.net/
+[ntia-conformance-checker]:https://github.com/spdx/ntia-conformance-checker
+[spdx-tools]:https://github.com/spdx/sbom-tools