From 9e12b02210d7a8d7a5cc62b008042a2912c17b86 Mon Sep 17 00:00:00 2001 From: Wouter Haffmans Date: Wed, 18 Dec 2024 10:20:22 +0100 Subject: [PATCH 1/7] Fix SBOM generation during CPack Escape the CMAKE_INSTALL_PREFIX variable in the generated scripts. This is then evaluated during installation. CPack uses a custom prefix during its process. With this fix no files are written outside this custom prefix, and no root or admin access is needed. --- cmake/sbom.cmake | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake index 6f7364d..a5e51da 100644 --- a/cmake/sbom.cmake +++ b/cmake/sbom.cmake @@ -124,7 +124,7 @@ function(sbom_generate) if("${SBOM_GENERATE_OUTPUT}" STREQUAL "") set(SBOM_GENERATE_OUTPUT - "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/${PROJECT_NAME}/${PROJECT_NAME}-sbom-${GIT_VERSION_PATH}.spdx" + "\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/${PROJECT_NAME}/${PROJECT_NAME}-sbom-${GIT_VERSION_PATH}.spdx" ) endif() @@ -508,12 +508,12 @@ function(sbom_file) " cmake_policy(SET CMP0011 NEW) cmake_policy(SET CMP0012 NEW) - if(NOT EXISTS ${CMAKE_INSTALL_PREFIX}/${SBOM_FILE_FILENAME}) + if(NOT EXISTS \"\${CMAKE_INSTALL_PREFIX}/${SBOM_FILE_FILENAME}\") if(NOT ${SBOM_FILE_OPTIONAL}) message(FATAL_ERROR \"Cannot find ${SBOM_FILE_FILENAME}\") endif() else() - file(SHA1 ${CMAKE_INSTALL_PREFIX}/${SBOM_FILE_FILENAME} _sha1) + file(SHA1 \${CMAKE_INSTALL_PREFIX}/${SBOM_FILE_FILENAME} _sha1) list(APPEND SBOM_VERIFICATION_CODES \${_sha1}) file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \" @@ -632,13 +632,13 @@ function(sbom_directory) CONTENT " file(GLOB_RECURSE _files - LIST_DIRECTORIES false RELATIVE \"${CMAKE_INSTALL_PREFIX}\" - \"${CMAKE_INSTALL_PREFIX}/${SBOM_DIRECTORY_DIRECTORY}/*\" + LIST_DIRECTORIES false RELATIVE \"\${CMAKE_INSTALL_PREFIX}\" + \"\${CMAKE_INSTALL_PREFIX}/${SBOM_DIRECTORY_DIRECTORY}/*\" ) set(_count 0) foreach(_f IN LISTS _files) - file(SHA1 \"${CMAKE_INSTALL_PREFIX}/\${_f}\" _sha1) + file(SHA1 \"\${CMAKE_INSTALL_PREFIX}/\${_f}\" _sha1) list(APPEND SBOM_VERIFICATION_CODES \${_sha1}) file(APPEND \"${PROJECT_BINARY_DIR}/sbom/sbom.spdx.in\" \" From 6ab7154dc98c5862aa173d879e2f42108111e2a1 Mon Sep 17 00:00:00 2001 From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com> Date: Wed, 16 Oct 2024 12:03:12 +0200 Subject: [PATCH 2/7] allow reuse-lint during config --- cmake/sbom.cmake | 49 ++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 45 insertions(+), 4 deletions(-) diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake index a5e51da..f954529 100644 --- a/cmake/sbom.cmake +++ b/cmake/sbom.cmake @@ -894,28 +894,69 @@ endfunction() # Adds a target that performs `python3 -m reuse lint'. Python is required with the proper packages # installed (see dist/common/requirements.txt). function(reuse_lint) - if(NOT TARGET ${PROJECT_NAME}-reuse-lint) + set(options CONFIG ALL) + set(oneValueArgs TARGET) + set(multiValueArgs) + cmake_parse_arguments(REUSE_LINT "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN}) + + if(NOT REUSE_LINT_TARGET) + set(REUSE_LINT_TARGET ${PROJECT_NAME}-reuse-lint) + endif() + + if(REUSE_LINT_ALL OR NOT REUSE_LINT_CONFIG) + set(lint_all ALL) + else() + set(lint_all) + endif() + + if(NOT TARGET ${REUSE_LINT_TARGET}) sbom_find_python(REQUIRED) add_custom_target( - ${PROJECT_NAME}-reuse-lint ALL + ${REUSE_LINT_TARGET} + ${lint_all} COMMAND ${Python3_EXECUTABLE} -m reuse --root "${PROJECT_SOURCE_DIR}" lint WORKING_DIRECTORY ${PROJECT_SOURCE_DIR} VERBATIM ) endif() + + if(REUSE_LINT_CONFIG) + sbom_find_python(REQUIRED) + + # It seems that there is a race in linting and generating build artifacts. So, run + # this (also) during config, to make sure that there is nothing else going on. + execute_process( + COMMAND ${Python3_EXECUTABLE} -m reuse --root "${PROJECT_SOURCE_DIR}" lint + WORKING_DIRECTORY ${PROJECT_SOURCE_DIR} + RESULT_VARIABLE res + ) + + if(NOT "${res}" EQUAL 0) + message(FATAL_ERROR "${REUSE_LINT_TARGET} failed") + endif() + endif() endfunction() # Adds a target that generates a SPDX file of the source code. Python is required with the proper # packages installed (see dist/common/requirements.txt). function(reuse_spdx) - if(NOT TARGET ${PROJECT_NAME}-reuse-spdx) + set(options) + set(oneValueArgs TARGET) + set(multiValueArgs) + cmake_parse_arguments(REUSE_SPDX "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN}) + + if(NOT REUSE_SPDX_TARGET) + set(REUSE_SPDX_TARGET ${PROJECT_NAME}-reuse-spdx) + endif() + + if(NOT TARGET ${REUSE_SPDX_TARGET}) sbom_find_python(REQUIRED) set(outfile "${PROJECT_BINARY_DIR}/${PROJECT_NAME}-src.spdx") add_custom_target( - ${PROJECT_NAME}-reuse-spdx ALL + ${REUSE_SPDX_TARGET} ALL COMMAND ${Python3_EXECUTABLE} -m reuse --root "${PROJECT_SOURCE_DIR}" spdx -o "${outfile}" WORKING_DIRECTORY ${PROJECT_SOURCE_DIR} From b1066c5c0e9b2528a2dfa80ce46cede4d22ccafc Mon Sep 17 00:00:00 2001 From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com> Date: Mon, 9 Dec 2024 10:11:04 +0100 Subject: [PATCH 3/7] be robust for non-alphanum chars in branch name --- cmake/version.cmake | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cmake/version.cmake b/cmake/version.cmake index 070d57a..4568613 100644 --- a/cmake/version.cmake +++ b/cmake/version.cmake @@ -152,8 +152,11 @@ function(version_extract) set(GIT_VERSION "${_GIT_VERSION}${version_git_dirty}") else() + string(REGEX REPLACE "[^A-Za-z0-9]+" "+" _version_git_branch + "${version_git_branch}" + ) set(GIT_VERSION - "${version_git_head}+${version_git_branch}${version_build}${version_git_dirty}" + "${version_git_head}+${_version_git_branch}${version_build}${version_git_dirty}" ) endif() From 3b44cc0f0043acf02f1cfeced764a9c096e32edb Mon Sep 17 00:00:00 2001 From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com> Date: Thu, 6 Feb 2025 13:32:50 +0100 Subject: [PATCH 4/7] doc --- .github/workflows/ci.yml | 2 +- CHANGELOG.rst | 10 ++++++++-- cmake/sbom.cmake | 2 +- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 12276e5..1a9704e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers +# SPDX-FileCopyrightText: 2023-2025 Jochem Rutgers # # SPDX-License-Identifier: CC0-1.0 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1d1c52f..c479268 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,7 +1,7 @@  .. - SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers + SPDX-FileCopyrightText: 2023-2025 Jochem Rutgers SPDX-License-Identifier: CC0-1.0 @@ -23,7 +23,13 @@ The format is based on `Keep a Changelog`_, and this project adheres to `Semanti Added ````` -... +- Allow running ``reuse-lint`` during configure, as workaround for a race in changing files while linting during build. + +Fixed +````` + +- Postpone expansion of ``CMAKE_INSTALL_PREFIX`` for CPack support. +- Handle non-alphanum characters in branch names. .. _Unreleased: https://github.com/DEMCON/cmake-sbom/compare/v1.1.2...HEAD diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake index f954529..f9dc801 100644 --- a/cmake/sbom.cmake +++ b/cmake/sbom.cmake @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers +# SPDX-FileCopyrightText: 2023-2025 Jochem Rutgers # # SPDX-License-Identifier: MIT From 116b711f368e819c5bd006df367d83181a3c645d Mon Sep 17 00:00:00 2001 From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com> Date: Thu, 6 Feb 2025 13:41:56 +0100 Subject: [PATCH 5/7] remove deprecated cmake versions --- CMakeLists.txt | 6 +++--- cmake/version.cmake | 4 ++-- example/CMakeLists.txt | 6 +++--- test/CMakeLists.txt | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 456bb93..6a1c902 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,12 +1,12 @@ -# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers +# SPDX-FileCopyrightText: 2023-2025 Jochem Rutgers # # SPDX-License-Identifier: MIT # This file only performs a few sanity checks on the repo. No building is required to use the # cmake/*.cmake files. -cmake_minimum_required(VERSION 3.5) -cmake_policy(VERSION 3.5) +cmake_minimum_required(VERSION 3.10) +cmake_policy(VERSION 3.10) project(cmake-sbom) diff --git a/cmake/version.cmake b/cmake/version.cmake index 4568613..93d6b63 100644 --- a/cmake/version.cmake +++ b/cmake/version.cmake @@ -1,8 +1,8 @@ -# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers +# SPDX-FileCopyrightText: 2023-2025 Jochem Rutgers # # SPDX-License-Identifier: MIT -cmake_minimum_required(VERSION 3.5) +cmake_minimum_required(VERSION 3.10) if(COMMAND version_generate) version_extract() diff --git a/example/CMakeLists.txt b/example/CMakeLists.txt index 2e6149a..bf6fdf1 100644 --- a/example/CMakeLists.txt +++ b/example/CMakeLists.txt @@ -1,12 +1,12 @@ -# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers +# SPDX-FileCopyrightText: 2023-2025 Jochem Rutgers # # SPDX-License-Identifier: CC0-1.0 # ################################################################################################## # Preamble -cmake_minimum_required(VERSION 3.7.1) -cmake_policy(VERSION 3.7.1) +cmake_minimum_required(VERSION 3.10) +cmake_policy(VERSION 3.10) project(example-project) diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt index 6ede5d9..58e52e7 100644 --- a/test/CMakeLists.txt +++ b/test/CMakeLists.txt @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers +# SPDX-FileCopyrightText: 2023-2025 Jochem Rutgers # # SPDX-License-Identifier: MIT @@ -18,8 +18,8 @@ function(test name) make_directory(${_dir}/build) set(TEST_PREAMBLE - "cmake_minimum_required(VERSION 3.5) -cmake_policy(VERSION 3.5) + "cmake_minimum_required(VERSION 3.10) +cmake_policy(VERSION 3.10) project(${name})" ) From 7cde1604f5154e38c05dc3e0c6da2138e72fd24e Mon Sep 17 00:00:00 2001 From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com> Date: Thu, 6 Feb 2025 14:02:42 +0100 Subject: [PATCH 6/7] doc --- README.rst | 68 +++++++++++++++++++++++++++++++++++++++++++++++- cmake/sbom.cmake | 10 ++++--- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/README.rst b/README.rst index 04003d4..5d67b17 100644 --- a/README.rst +++ b/README.rst @@ -18,7 +18,7 @@ It automates two tasks: The version extraction helps to get the version in the application and SBOM right. The SBOM contains the files you mention explicitly, just like you mention what to ``install()`` in CMake. -To integrate this library in your project, see `below ` for basic instructions or the `example`_ for a complete example project. +To integrate this library in your project, see `below `_ for basic instructions or the `example`_ for a complete example project. .. _SPDX: https://spdx.github.io/spdx-spec/v2.3/ .. _NTIA: http://ntia.gov/SBOM @@ -36,6 +36,9 @@ To integrate this library in your project, see `below ` for bas - `sbom_generate() `_ - `sbom_add() `_ - `sbom_finalize() `_ + - `REUSE compliance `_ + - `reuse_lint() `_ + - `reuse_spdx() `_ - `How to use `_ - `Testing `_ - `License `_ @@ -390,6 +393,69 @@ Finalize the SBOM and verify its contents and/or format. +.. _sec_reuse: + +|   + +REUSE +----- + +This section lists a few functions that help with `REUSE`_ compliance of your repository. + +.. _sec_reuse_lint: + +|   + +``reuse_lint`` +`````````````` + +Perform checking for `REUSE`_ compliance of the project repository source files. + +.. code:: cmake + + reuse_lint( + [TARGET ] + [CONFIG] [ALL] + ) + +``TARGET`` + Target name to run the linter. + Defaults to ``${PROJECT_NAME}-reuse-lint`` when omitted. + +``CONFIG`` + Run the linting during CMake configure instead of during build. + When this flag is set, the target is still created too. + +``ALL`` + Add a dependency from ``all`` to the ``TARGET``. + + + +.. _sec_reuse_spdx: + +|   + +``reuse_spdx`` +`````````````` + +Export an SPDX file based on the source code of the project with copyright and license information. + +.. code:: cmake + + reuse_spdx( + [TARGET ] + [OUTPUT ] + ) + +``TARGET`` + Target name that executes the exporter. + Defaults to ``${PROJECT_NAME}-reuse-spdx``. + +``OUTPUT`` + The output SPDX file. + + + .. _sec_how_to_use: |   diff --git a/cmake/sbom.cmake b/cmake/sbom.cmake index f9dc801..2c6296b 100644 --- a/cmake/sbom.cmake +++ b/cmake/sbom.cmake @@ -942,7 +942,7 @@ endfunction() # packages installed (see dist/common/requirements.txt). function(reuse_spdx) set(options) - set(oneValueArgs TARGET) + set(oneValueArgs TARGET OUTPUT) set(multiValueArgs) cmake_parse_arguments(REUSE_SPDX "${options}" "${oneValueArgs}" "${multiValueArgs}" ${ARGN}) @@ -950,15 +950,17 @@ function(reuse_spdx) set(REUSE_SPDX_TARGET ${PROJECT_NAME}-reuse-spdx) endif() + if(NOT REUSE_SPDX_OUTPUT) + set(REUSE_SPDX_OUTPUT "${PROJECT_BINARY_DIR}/${PROJECT_NAME}-src.spdx") + endif() + if(NOT TARGET ${REUSE_SPDX_TARGET}) sbom_find_python(REQUIRED) - set(outfile "${PROJECT_BINARY_DIR}/${PROJECT_NAME}-src.spdx") - add_custom_target( ${REUSE_SPDX_TARGET} ALL COMMAND ${Python3_EXECUTABLE} -m reuse --root "${PROJECT_SOURCE_DIR}" spdx - -o "${outfile}" + -o "${REUSE_SPDX_OUTPUT}" WORKING_DIRECTORY ${PROJECT_SOURCE_DIR} VERBATIM ) From 8e530245772b66c2c040664d0fba92be54beee08 Mon Sep 17 00:00:00 2001 From: Jochem Rutgers <68805714+jhrutgers@users.noreply.github.com> Date: Thu, 6 Feb 2025 14:08:40 +0100 Subject: [PATCH 7/7] doc --- CHANGELOG.rst | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index c479268..517cbc7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -23,6 +23,18 @@ The format is based on `Keep a Changelog`_, and this project adheres to `Semanti Added ````` +... + +.. _Unreleased: https://github.com/DEMCON/cmake-sbom/compare/v1.2.0...HEAD + + + +`1.2.0`_ - 2025-02-06 +--------------------- + +Added +````` + - Allow running ``reuse-lint`` during configure, as workaround for a race in changing files while linting during build. Fixed @@ -31,7 +43,7 @@ Fixed - Postpone expansion of ``CMAKE_INSTALL_PREFIX`` for CPack support. - Handle non-alphanum characters in branch names. -.. _Unreleased: https://github.com/DEMCON/cmake-sbom/compare/v1.1.2...HEAD +.. _1.2.0: https://github.com/DEMCON/cmake-sbom/releases/tag/v1.2.0