Generate SBOM info

WE2-1144

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

.github/workflows/cmake-linux-fedora.yml

@@ -29,9 +29,13 @@ jobs:
         run: cmake -DCMAKE_BUILD_TYPE=$BUILD_TYPE -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_INSTALL_SYSCONFDIR=/etc -B build -S .
 
       - name: Build
-        run: cmake --build build --config $BUILD_TYPE --target package
+        run: |
+          cmake --build build --config $BUILD_TYPE --target package
+          cmake --install build/sbom
 
       - uses: actions/upload-artifact@v7
         with:
           name: web-eid-app-fedora-build-fedora${{matrix.container}}-${{github.run_number}}
-          path: build/*rpm
+          path: |
+            build/*rpm
+            build/*.spdx

.github/workflows/cmake-linux-ubuntu.yml

@@ -17,7 +17,7 @@ jobs:
     container: ubuntu:${{matrix.container}}
     strategy:
       matrix:
-        container: ['22.04', '24.04', '25.04', '25.10']
+        container: ['22.04', '24.04', '25.10', '26.04']
         arch: ['amd64', 'arm64']
 
     steps:
@@ -35,6 +35,7 @@ jobs:
       - name: Build
         run: |
           cmake --build build --config $BUILD_TYPE --target installer
+          cmake --install build/sbom
           # Debian creates artifacts outside of project dir, copy them back to make them available in the build artifacts
           mv ../web-eid*.* build/
 
@@ -44,4 +45,6 @@ jobs:
       - uses: actions/upload-artifact@v7
         with:
           name: web-eid-app-ubuntu-build-ubuntu${{matrix.container}}-${{ matrix.arch }}-${{github.run_number}}
-          path: build/*.*deb
+          path: |
+            build/*.*deb
+            build/*.spdx

.github/workflows/cmake-macos.yml

@@ -77,6 +77,7 @@ jobs:
           cmake --build ${BUILD_DIR} --config ${BUILD_TYPE}
           cmake --build ${BUILD_DIR} --config ${BUILD_TYPE} --target installer
           cmake --build ${BUILD_DIR} --config ${BUILD_TYPE} --target installer-safari
+          cmake --install build/sbom
 
       #- name: Test
       #  run: ctest -V -C ${BUILD_TYPE} --test-dir ${BUILD_DIR}
@@ -88,3 +89,9 @@ jobs:
           path: |
             build/src/app/*.pkg
             build/src/app/*.dmg
+
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v7
+        with:
+          name: web-eid-app-macos-sbom-${{github.run_number}}
+          path: build/*.spdx

.github/workflows/cmake-windows.yml

@@ -67,6 +67,7 @@ jobs:
           cmake --build build --config ${env:BUILD_TYPE}
           cmake --build build --config ${env:BUILD_TYPE} --target installer
           cmake --build build --config ${env:BUILD_TYPE} --target bundle
+          cmake --install build/sbom
 
       - name: Test
         if: ${{ matrix.arch == 'x64' }}
@@ -80,6 +81,12 @@ jobs:
             build/src/app/*.msi
             build/src/app/*.exe
 
+      - name: Upload SBOM artifacts
+        uses: actions/upload-artifact@v7
+        with:
+          name: web-eid-app-windows-sbom-${{matrix.arch}}-${{github.run_number}}
+          path: build/*.spdx
+
       - name: Upload debug artifacts
         uses: actions/upload-artifact@v7
         with:

.gitmodules

@@ -4,3 +4,7 @@
 [submodule "src/mac/js"]
 	path = src/mac/js
 	url = ../web-eid-webextension
+[submodule "cmake/cmake-sbom"]
+	path = cmake/cmake-sbom
+	url = https://github.com/DEMCON/cmake-sbom.git
+	branch = v1.4.0

CMakeLists.txt

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: Estonian Information System Authority
+# SPDX-License-Identifier: MIT
+
 cmake_minimum_required(VERSION 3.22)
 
 if(NOT EXISTS "${CMAKE_SOURCE_DIR}/lib/libelectronic-id/README.md")
@@ -50,3 +53,4 @@ endif()
 enable_testing()
 add_subdirectory(tests/mock-ui)
 add_subdirectory(tests/tests)
+include(cmake/sbom.cmake)

build.sh

@@ -1,4 +1,6 @@
 #!/bin/bash
+# SPDX-FileCopyrightText: Estonian Information System Authority
+# SPDX-License-Identifier: MIT
 
 set -e
 set -u

cmake/cmake-sbom

@@ -0,0 +1,151 @@
+# SPDX-FileCopyrightText: Estonian Information System Authority
+# SPDX-License-Identifier: MIT
+
+# SBOM generation using DEMCON/cmake-sbom (SPDX 2.3, install-time)
+# Run: cmake --install <build-dir>/sbom
+
+list(APPEND CMAKE_MODULE_PATH "${CMAKE_SOURCE_DIR}/cmake/cmake-sbom/cmake")
+include(sbom)
+
+execute_process(
+    COMMAND git describe --tags --abbrev=0
+    WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}/lib/libelectronic-id"
+    OUTPUT_VARIABLE ELECTRONIC_ID_VERSION
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+    ERROR_QUIET
+)
+string(REGEX REPLACE "^v" "" ELECTRONIC_ID_VERSION "${ELECTRONIC_ID_VERSION}")
+
+sbom_generate(
+    OUTPUT "${CMAKE_BINARY_DIR}/web-eid-${PROJECT_VERSION}.spdx"
+    LICENSE "MIT"
+    SUPPLIER "Estonian Information System Authority"
+    SUPPLIER_URL https://www.ria.ee
+    DOWNLOAD_URL https://github.com/web-eid/web-eid-app
+    VERSION "${PROJECT_VERSION}"
+)
+
+set(_sbom_reset "${CMAKE_BINARY_DIR}/sbom/sbom-reset.cmake")
+file(WRITE "${_sbom_reset}"
+    "file(WRITE \"${CMAKE_BINARY_DIR}/sbom/sbom.spdx.in\" \"\")\n"
+    "file(READ \"${CMAKE_BINARY_DIR}/SPDXRef-DOCUMENT.spdx.in\" _doc)\n"
+    "file(APPEND \"${CMAKE_BINARY_DIR}/sbom/sbom.spdx.in\" \"\${_doc}\")\n"
+    "set(SBOM_VERIFICATION_CODES \"\")\n"
+)
+file(APPEND "${CMAKE_BINARY_DIR}/sbom/CMakeLists.txt"
+    "install(SCRIPT \"${_sbom_reset}\")\n"
+)
+
+set(_app_spdxid "SPDXRef-Package-${PROJECT_NAME} DEPENDS_ON @SBOM_LAST_SPDXID@")
+if(APPLE)
+    sbom_add(PACKAGE web-eid-safari
+        VERSION "${PROJECT_VERSION}"
+        SUPPLIER "Organization: Estonian Information System Authority"
+        DOWNLOAD_LOCATION https://github.com/web-eid/web-eid-app
+        LICENSE "MIT"
+        EXTREF "cpe:2.3:a:web-eid:web-eid:${PROJECT_VERSION}:*:*:*:*:*:*:*"
+        RELATIONSHIP "@SBOM_LAST_SPDXID@ VARIANT_OF SPDXRef-Package-${PROJECT_NAME}"
+    )
+    set(_app_spdxid "${_app_spdxid}\nRelationship: ${SBOM_LAST_SPDXID} DEPENDS_ON @SBOM_LAST_SPDXID@")
+    file(READ "${CMAKE_SOURCE_DIR}/src/mac/js/package.json" _webext_json)
+    string(JSON WEBEXT_VERSION GET "${_webext_json}" "version")
+    sbom_add(PACKAGE web-eid-webextension
+        VERSION "${WEBEXT_VERSION}"
+        SUPPLIER "Organization: Estonian Information System Authority"
+        DOWNLOAD_LOCATION https://github.com/web-eid/web-eid-webextension
+        LICENSE "MIT"
+        RELATIONSHIP "${SBOM_LAST_SPDXID} DEPENDS_ON @SBOM_LAST_SPDXID@"
+    )
+    if(NPM_EXECUTABLE)
+        execute_process(
+            COMMAND "${NPM_EXECUTABLE}" --version
+            OUTPUT_VARIABLE NPM_VERSION
+            OUTPUT_STRIP_TRAILING_WHITESPACE
+            ERROR_QUIET
+        )
+        string(REGEX REPLACE "^v" "" NPM_VERSION "${NPM_VERSION}")
+    endif()
+    if(NPM_VERSION)
+        sbom_add(PACKAGE npm
+            VERSION "${NPM_VERSION}"
+            SUPPLIER "Organization: OpenJS Foundation"
+            DOWNLOAD_LOCATION https://www.npmjs.com
+            LICENSE "Artistic-2.0"
+            EXTREF "cpe:2.3:a:npmjs:npm:${NPM_VERSION}:*:*:*:*:*:*:*"
+            RELATIONSHIP "@SBOM_LAST_SPDXID@ BUILD_TOOL_OF ${SBOM_LAST_SPDXID}"
+        )
+    endif()
+endif()
+
+if(WIN32)
+    find_program(WIX_EXECUTABLE NAMES wix)
+    if(WIX_EXECUTABLE)
+        execute_process(
+            COMMAND "${WIX_EXECUTABLE}" --version
+            OUTPUT_VARIABLE WIX_VERSION
+            OUTPUT_STRIP_TRAILING_WHITESPACE
+            ERROR_QUIET
+        )
+        string(REGEX REPLACE "\\+.*$" "" WIX_VERSION "${WIX_VERSION}")
+    endif()
+    if(WIX_VERSION)
+        sbom_add(PACKAGE WiX
+            VERSION "${WIX_VERSION}"
+            SUPPLIER "Organization: WiX Toolset Contributors"
+            DOWNLOAD_LOCATION https://wixtoolset.org
+            LICENSE "MS-RL"
+            EXTREF "cpe:2.3:a:wixtoolset:wix_toolset:${WIX_VERSION}:*:*:*:*:*:*:*"
+        )
+    endif()
+endif()
+
+sbom_add(PACKAGE libelectronic-id
+    VERSION "${ELECTRONIC_ID_VERSION}"
+    SUPPLIER "Organization: Estonian Information System Authority"
+    DOWNLOAD_LOCATION https://github.com/web-eid/libelectronic-id
+    LICENSE "MIT"
+    EXTREF "cpe:2.3:a:web-eid:libelectronic-id:${ELECTRONIC_ID_VERSION}:*:*:*:*:*:*:*"
+    RELATIONSHIP "${_app_spdxid}"
+)
+
+find_package(GTest QUIET)
+if(GTest_FOUND)
+    sbom_add(PACKAGE GTest
+        VERSION "${GTest_VERSION}"
+        SUPPLIER "Organization: Google LLC"
+        DOWNLOAD_LOCATION https://github.com/google/googletest
+        LICENSE "BSD-3-Clause"
+        EXTREF "cpe:2.3:a:google:googletest:${GTest_VERSION}:*:*:*:*:*:*:*"
+        RELATIONSHIP "${SBOM_LAST_SPDXID} TEST_TOOL_OF @SBOM_LAST_SPDXID@"
+    )
+endif()
+
+if(PCSC_FOUND)
+    sbom_add(PACKAGE libpcsclite
+        VERSION "${PCSC_VERSION}"
+        SUPPLIER "Organization: Muscle project"
+        DOWNLOAD_LOCATION https://pcsclite.apdu.fr
+        LICENSE "BSD-3-Clause"
+        EXTREF "cpe:2.3:a:pcsc-lite_project:pcsc-lite:${PCSC_VERSION}:*:*:*:*:*:*:*"
+    )
+endif()
+
+sbom_add(PACKAGE Qt6
+    VERSION "${Qt6_VERSION}"
+    SUPPLIER "Organization: The Qt Company"
+    DOWNLOAD_LOCATION https://download.qt.io/
+    LICENSE "LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only OR LicenseRef-Qt-commercial"
+    EXTREF "cpe:2.3:a:qt:qt:${Qt6_VERSION}:*:*:*:*:*:*:*"
+    RELATIONSHIP "${_app_spdxid}"
+)
+
+sbom_add(PACKAGE OpenSSL
+    VERSION "${OPENSSL_VERSION}"
+    SUPPLIER "Organization: OpenSSL Software Foundation"
+    DOWNLOAD_LOCATION https://openssl.org
+    LICENSE "Apache-2.0"
+    EXTREF "cpe:2.3:a:openssl:openssl:${OPENSSL_VERSION}:*:*:*:*:*:*:*"
+    RELATIONSHIP "${_app_spdxid}"
+)
+
+sbom_finalize(NO_VERIFY)

cmake/sbom.cmake

@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="utf-8" standalone="no"?>
+<!-- SPDX-FileCopyrightText: Estonian Information System Authority -->
+<!-- SPDX-License-Identifier: MIT -->
 <!--
 https://developer.apple.com/library/mac/documentation/DeveloperTools/Reference/DistributionDefinitionRef/
 https://developer.apple.com/library/mac/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/