refactor(sbom): DRY library glob, tighten regression tests

sameehj · sameehj · commit 45e25860b974 · 2026-05-01T11:18:25.000+03:00
Hoist the shared dynamic-library basenames into a Make variable used
by both `sbom:` and `bomsh:`; add a sha256_file negative test and
freshness checks for the build_timestamp fallback.

Signed-off-by: Sameeh Jubran &lt;sameeh@wolfssl.com&gt;
diff --git a/Makefile.am b/Makefile.am
@@ -357,6 +357,18 @@ SBOM_SPDX    = wolfssl-$(PACKAGE_VERSION).spdx.json
 SBOM_SPDX_TV = wolfssl-$(PACKAGE_VERSION).spdx
 sbomdir      = $(datadir)/doc/$(PACKAGE)
 
+# Shared-library / Mach-O basenames in priority order (versioned first).
+# Both `sbom:` and `bomsh:` glob for these under their own search prefixes;
+# adding a new platform-specific dynamic-library extension here updates
+# both targets at once.  Static (.a) and Windows (.dll/.lib) variants are
+# listed inline at each call-site because their ordering and prefixes
+# differ between the install tree and the build tree.
+WOLFSSL_LIB_DSO_BASENAMES = \
+    libwolfssl.so.[0-9]* \
+    libwolfssl.so \
+    libwolfssl.[0-9]*.dylib \
+    libwolfssl.dylib
+
 .PHONY: sbom install-sbom uninstall-sbom
 
 # Stage a `make install` into a private tree, discover the installed library
@@ -395,10 +407,7 @@ sbom:
 	$(MAKE) install DESTDIR=$(abs_builddir)/_sbom_staging; \
 	sbom_lib=""; \
 	for lib in \
-	    "$(abs_builddir)/_sbom_staging$(libdir)"/libwolfssl.so.[0-9]* \
-	    "$(abs_builddir)/_sbom_staging$(libdir)"/libwolfssl.so \
-	    "$(abs_builddir)/_sbom_staging$(libdir)"/libwolfssl.[0-9]*.dylib \
-	    "$(abs_builddir)/_sbom_staging$(libdir)"/libwolfssl.dylib \
+	    $(addprefix "$(abs_builddir)/_sbom_staging$(libdir)"/,$(WOLFSSL_LIB_DSO_BASENAMES)) \
 	    "$(abs_builddir)/_sbom_staging$(libdir)"/libwolfssl.dll \
 	    "$(abs_builddir)/_sbom_staging$(libdir)"/libwolfssl.dll.a \
 	    "$(abs_builddir)/_sbom_staging$(libdir)"/libwolfssl.lib \
@@ -495,10 +504,7 @@ bomsh:
 	fi; \
 	bomsh_artifact=""; \
 	for lib in \
-	    $(abs_builddir)/src/.libs/libwolfssl.so.[0-9]* \
-	    $(abs_builddir)/src/.libs/libwolfssl.so \
-	    $(abs_builddir)/src/.libs/libwolfssl.[0-9]*.dylib \
-	    $(abs_builddir)/src/.libs/libwolfssl.dylib \
+	    $(addprefix $(abs_builddir)/src/.libs/,$(WOLFSSL_LIB_DSO_BASENAMES)) \
 	    $(abs_builddir)/src/.libs/libwolfssl.a \
 	    $(abs_builddir)/src/libwolfssl.a; do \
 	    if test -f "$$lib"; then bomsh_artifact="$$lib"; break; fi; \
diff --git a/scripts/test_gen_sbom.py b/scripts/test_gen_sbom.py
@@ -18,6 +18,7 @@
 import tempfile
 import unittest
 import uuid
+from datetime import datetime, timedelta, timezone
 from importlib.machinery import SourceFileLoader
 
 
@@ -226,15 +227,24 @@ def test_two_calls_with_same_sde_match(self):
     def test_invalid_sde_falls_back_to_now(self):
         os.environ['SOURCE_DATE_EPOCH'] = 'not-a-number'
         dt, ts = gs.build_timestamp()
-        # Should still produce a UTC ISO-Z timestamp; we only check shape.
+        # Shape check.
         self.assertRegex(
             ts, r'\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z\Z')
+        # Freshness check: regression guard against a future change that
+        # accidentally hard-codes the fallback (e.g. epoch zero).  Five
+        # seconds is generous for a unit test on slow runners.
+        self.assertLess(
+            abs(dt - datetime.now(tz=timezone.utc)),
+            timedelta(seconds=5))
 
     def test_no_sde_is_current_utc(self):
         os.environ.pop('SOURCE_DATE_EPOCH', None)
-        _, ts = gs.build_timestamp()
+        dt, ts = gs.build_timestamp()
         self.assertRegex(
             ts, r'\A\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z\Z')
+        self.assertLess(
+            abs(dt - datetime.now(tz=timezone.utc)),
+            timedelta(seconds=5))
 
 
 class TestLoadLicenseText(unittest.TestCase):
@@ -257,6 +267,27 @@ def test_missing_file_exits(self):
             gs.load_license_text('/no/such/path/please.txt')
 
 
+class TestSha256File(unittest.TestCase):
+    def test_real_file_hashes_to_known_value(self):
+        # Empty file's SHA-256 is well-known; sanity-checks the chunked
+        # read path produces the same digest as a one-shot hash.
+        with tempfile.NamedTemporaryFile('wb', delete=False) as f:
+            path = f.name
+        try:
+            empty_sha256 = ('e3b0c44298fc1c149afbf4c8996fb924'
+                            '27ae41e4649b934ca495991b7852b855')
+            self.assertEqual(gs.sha256_file(path), empty_sha256)
+        finally:
+            os.unlink(path)
+
+    def test_missing_file_exits_cleanly(self):
+        # Regression guard: gen-sbom must surface a missing --lib path as
+        # a clean non-zero exit, not an unhandled OSError, so `make sbom`
+        # fails fast with a useful message instead of a Python traceback.
+        with self.assertRaises(SystemExit):
+            gs.sha256_file('/no/such/library/please.so')
+
+
 class TestParseOptionsH(unittest.TestCase):
     def _parse(self, body):
         with tempfile.NamedTemporaryFile('w', suffix='.h',
