fix(sbom): correctness fixes from code review

Hard-error on LicenseRef-* without --license-text, route NOASSERTION
via license.name, strip C comments in options.h, NUL-join derived
UUIDs, and detect git worktrees for SOURCE_DATE_EPOCH.

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

Author: sameehj

Makefile.am

@@ -416,7 +416,7 @@ sbom:
 	fi; \
 	echo "SBOM: hashing $$sbom_lib"; \
 	if test -z "$${SOURCE_DATE_EPOCH:-}" && test -n "$(GIT)" && \
-	   test -d "$(srcdir)/.git"; then \
+	   $(GIT) -C "$(srcdir)" rev-parse --git-dir >/dev/null 2>&1; then \
 	    SOURCE_DATE_EPOCH=`$(GIT) -C "$(srcdir)" log -1 --format=%ct 2>/dev/null || echo`; \
 	    export SOURCE_DATE_EPOCH; \
 	fi; \

doc/CRA.md

@@ -147,9 +147,9 @@ the document; conformant validators (e.g. `pyspdxtools`, `ntia-conformance-check
 will reject the SBOM otherwise.  The file should contain the plain-text
 licence agreement you received from wolfSSL.
 
-If you omit `SBOM_LICENSE_TEXT` the generator emits a placeholder and prints
-a warning — useful for quick experiments, but the result is **not** valid for
-distribution to customers or regulators.
+If `SBOM_LICENSE_OVERRIDE` is set to a `LicenseRef-*` and `SBOM_LICENSE_TEXT`
+is missing, `make sbom` exits with an error rather than emit an invalid SBOM
+that might end up in front of a regulator.
 
 For a stock SPDX-listed identifier (`Apache-2.0`, `MIT`, etc.) the
 `SBOM_LICENSE_TEXT` argument is unnecessary because validators already know

doc/SBOM.md

@@ -98,13 +98,12 @@ python3 scripts/gen-sbom \
     ... other flags ...
 ```
 
-`--license-text` is required whenever `--license-override` is a custom
+`--license-text` is **required** whenever `--license-override` is a custom
 `LicenseRef-*`: SPDX 2.3 mandates that any LicenseRef in `licenseConcluded`
 or `licenseDeclared` be backed by a `hasExtractedLicensingInfos` entry that
-embeds the actual licence text.  Without it, validators such as
-`pyspdxtools` and `ntia-conformance-checker` reject the document.  The
-generator emits a placeholder and a warning in that case so the bug is
-visible, but the SBOM is *not* valid for downstream consumers.
+embeds the actual licence text.  Running without it is a configuration
+error and the generator exits non-zero rather than emit a misleading SBOM
+that auditors might then circulate.
 
 For an SPDX-listed override (`Apache-2.0`, `MIT`, etc.), `--license-text`
 is unnecessary because validators already know the canonical text.

scripts/gen-sbom

@@ -20,8 +20,13 @@ SBOM_UUID_NAMESPACE = uuid.uuid5(uuid.NAMESPACE_URL, 'https://wolfssl.com/sbom/'
 def derived_uuid(*parts):
     """Deterministic UUID from joined parts under the wolfSSL SBOM namespace.
     Re-runs of `make sbom` against the same source produce identical UUIDs,
-    which is required for reproducible-build-style SBOM hashing."""
-    return str(uuid.uuid5(SBOM_UUID_NAMESPACE, '/'.join(parts)))
+    which is required for reproducible-build-style SBOM hashing.
+
+    Uses NUL as a separator so no aliasing is possible between e.g.
+    derived_uuid('a/b', 'c') and derived_uuid('a', 'b/c'); NUL cannot
+    appear in any of the call-site inputs (package name, version, role
+    label, dep key)."""
+    return str(uuid.uuid5(SBOM_UUID_NAMESPACE, '\x00'.join(parts)))
 
 
 def build_timestamp():
@@ -148,6 +153,11 @@ def cdx_license_block(license_expr, license_text):
       * `license.name`    - a non-listed licence (e.g. a LicenseRef-*)
       * `expression`      - a compound SPDX expression
     Picking the wrong shape causes downstream tooling to reject the SBOM."""
+    # NOASSERTION is a reserved SPDX value, not a parseable SPDX expression;
+    # emit it via license.name so CDX validators don't choke trying to parse
+    # it as one.
+    if license_expr == 'NOASSERTION':
+        return [{'license': {'name': 'NOASSERTION'}}]
     if is_simple_spdx_id(license_expr):
         return [{'license': {'id': license_expr}}]
     refs = extract_license_refs(license_expr)
@@ -246,7 +256,11 @@ def dep_version(key):
 
 def parse_options_h(path):
     """Parse wolfssl/options.h and return sorted deduplicated list of
-    (name, value) pairs for every #define found."""
+    (name, value) pairs for every #define found.
+
+    Trailing C/C++ comments on a #define line (`#define HAVE_FOO 42 /* x */`
+    or `// y`) are stripped; otherwise they would land verbatim in the
+    SBOM build properties."""
     try:
         with open(path) as f:
             text = f.read()
@@ -255,8 +269,10 @@ def parse_options_h(path):
         return []
 
     defines = {}
-    for m in re.finditer(r'^#define[ \t]+(\w+)(?:[ \t]+(.+))?$', text, re.MULTILINE):
-        defines[m.group(1)] = (m.group(2) or '').strip()
+    for m in re.finditer(r'^#define[ \t]+(\w+)(?:[ \t]+(.*))?$', text, re.MULTILINE):
+        raw = (m.group(2) or '')
+        raw = re.split(r'/\*|//', raw, maxsplit=1)[0]
+        defines[m.group(1)] = raw.strip()
     return sorted(defines.items())
 
 
@@ -515,10 +531,15 @@ def main():
 
     license_text = load_license_text(args.license_text)
     if extract_license_refs(license_id) and license_text is None:
-        print("WARNING: --license-override uses a LicenseRef-* but "
-              "--license-text was not provided; the SBOM will embed a "
-              "placeholder. Provide SBOM_LICENSE_TEXT=<path> for full "
-              "SPDX compliance.", file=sys.stderr)
+        sys.exit(
+            "ERROR: --license-override contains a LicenseRef-* identifier "
+            "but --license-text was not provided.\n"
+            "       SPDX 2.3 requires the licence text to be embedded in "
+            "hasExtractedLicensingInfos for any LicenseRef-* used in "
+            "licenseConcluded/licenseDeclared.\n"
+            "       Re-run with --license-text PATH (or "
+            "`make sbom SBOM_LICENSE_TEXT=PATH`)."
+        )
 
     build_props = parse_options_h(args.options_h)
     lib_hash = sha256_file(args.lib)