commit bcb64083828e8258acfb67deb93fd1d6f8026fa4
parent cb0e70b16a674921aa9774a253ada8408618c1ab
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Tue, 31 Mar 2026 13:57:03 +0200
add logic to generate SPDX files
Diffstat:
5 files changed, 155 insertions(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
@@ -61,3 +61,4 @@ stamp-h[0-9]
/.clangd
/.cache/
compile_commands.json
+libmicrohttpd-spdx.json
diff --git a/Makefile.am b/Makefile.am
@@ -6,6 +6,9 @@ if BUILD_DOC
SUBDIRS += doc
endif
+sbomdir = $(datadir)/libmicrohttpd
+sbom_DATA = libmicrohttpd-spdx.json
+
W32COMMON = \
w32/common/vs_dirs.props \
w32/common/project-configs.props \
@@ -58,7 +61,8 @@ W32VSAV = \
W32VS_ALL = $(W32COMMON) $(W32VS2017) $(W32VS2019) $(W32VS2022) $(W32VSAV)
EXTRA_DIST = \
- $(W32VS_ALL)
+ $(W32VS_ALL) \
+ libmicrohttpd-spdx.json.in
EXTRA_DIST += pre-dist-hook-dummy
MOSTLYCLEANFILES = pre-dist-hook-dummy
diff --git a/configure.ac b/configure.ac
@@ -9540,6 +9540,9 @@ AC_MSG_NOTICE([Toolchain settings:
LDFLAGS= "$fin_lib_LDFLAGS"
LIBS= "$fin_lib_LIBS"
])
+
+MHD_GENERATE_SBOM3([$fin_lib_LIBS])
+
AS_UNSET([fin_CPPFLAGS])
AS_UNSET([fin_CFLAGS])
AS_UNSET([fin_LDFLAGS])
diff --git a/libmicrohttpd-spdx.json.in b/libmicrohttpd-spdx.json.in
@@ -0,0 +1,27 @@
+{
+ "spdxVersion": "SPDX-3.0",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "libmicrohttpd2-SPDX-3.0-Document",
+ "documentNamespace": "https://gnu.org/s/libmicrohttpd/",
+ "creationInfo": {
+ "created": "2026-03-31T12:00:00Z",
+ "authors": [
+ "Tool: configure"
+ ]
+ },
+
+ "elements": [
+ {
+ "type": "Package",
+ "SPDXID": "SPDXRef-Package-libmicrohttpd2",
+ "name": "libmicrohttpd2",
+ "versionInfo": "2.0.0",
+ "downloadLocation" : "http://ftp.gnu.org/gnu/libmicrohttpd/libmicrohttpd2-2.0.0.tar.gz",
+ "homepage": "https://gnu.org/s/libmicrohttpd/",
+ "licenseConcluded": "LGPL-3.0-or-later",
+ "licenseDeclared": "LGPL-3.0-or-later"
+ }
+ ],
+ "relationships" : []
+}
diff --git a/m4/make-sbom.m4 b/m4/make-sbom.m4
@@ -0,0 +1,119 @@
+AC_DEFUN([MHD_GENERATE_SBOM3], [
+
+ AC_CHECK_PROG([HAVE_JQ], [jq], [yes], [no])
+ AC_CHECK_PROG([HAVE_PKG_CONFIG], [pkg-config], [yes], [no])
+
+ if test "x$HAVE_JQ" = "xyes";
+ then
+ AC_MSG_NOTICE([jq found, generating SBOM v3])
+
+ jq --arg ver "$PACKAGE_VERSION" '
+ .elements[[0]].versionInfo=$ver' \
+ < "$srcdir/libmicrohttpd-spdx.json.in" \
+ > libmicrohttpd-spdx.json
+
+ for l in $1;
+ do
+ AC_MSG_NOTICE([processing $l])
+
+ AS_CASE([$l],
+ [-lssl], [:],
+ [-lcrypto], [
+ dep_ver=UNKNOWN
+ if test "x$HAVE_PKG_CONFIG" = "xyes" && pkg-config --exists openssl;
+ then
+ dep_ver=`pkg-config --modversion openssl 2>/dev/null`
+ fi
+ jqprog='
+ .elements += [[{
+ type:"Package",
+ SPDXID:"SPDXRef-Package-OpenSSL",
+ name:"OpenSSL",
+ versionInfo:$ver,
+ downloadLocation: "https://github.com/openssl/openssl/releases/download/",
+ homepage: "https://openssl.org/",
+ licenseConcluded: "OpenSSL-3.0",
+ licenseDeclared: "OpenSSL-3.0"
+ }]] |
+ .relationships += [[{
+ type:"Relationship",
+ SPDXID:"SPDXRef-Rel-OpenSSL",
+ relationshipType:"DEPENDS_ON",
+ from:"SPDXRef-Package-libmicrohttpd2",
+ to:"SPDXRef-Package-OpenSSL"
+ }]]'
+ jq --arg ver "$dep_ver" "$jqprog" \
+ < libmicrohttpd-spdx.json \
+ > libmicrohttpd-spdx.json.tmp &&
+ mv libmicrohttpd-spdx.json.tmp libmicrohttpd-spdx.json
+ ],
+ [-lgnutls], [
+ dep_ver=UNKNOWN
+ if test "x$HAVE_PKG_CONFIG" = "xyes" && pkg-config --exists gnutls;
+ then
+ dep_ver=`pkg-config --modversion gnutls 2>/dev/null`
+ fi
+
+ jqprog='
+ .elements += [[{
+ type:"Package",
+ SPDXID:"SPDXRef-Package-GnuTLS",
+ name:"GnuTLS",
+ versionInfo:$ver,
+ downloadLocation : "https://www.gnupg.org/ftp/gcrypt/gnutls/",
+ homepage: "https://gnutls.org/",
+ licenseConcluded: "LGPL-2.1-or-later",
+ licenseDeclared: "LGPL-2.1-or-later"
+ }]] |
+ .relationships += [[{
+ type:"Relationship",
+ SPDXID:"SPDXRef-Rel-GnuTLS",
+ relationshipType:"DEPENDS_ON",
+ from:"SPDXRef-Package-libmicrohttpd2",
+ to:"SPDXRef-Package-GnuTLS"
+ }]]'
+ jq --arg ver "$dep_ver" "$jqprog" \
+ < libmicrohttpd-spdx.json \
+ > libmicrohttpd-spdx.json.tmp &&
+ mv libmicrohttpd-spdx.json.tmp libmicrohttpd-spdx.json
+ ],
+ [-lmbedtls], [
+ dep_ver=UNKNOWN
+ if test "x$HAVE_PKG_CONFIG" = "xyes" && pkg-config --exists mbedtls;
+ then
+ dep_ver=`pkg-config --modversion mbedtls 2>/dev/null`
+ fi
+
+ jqprog='
+ .elements += [[{
+ type:"Package",
+ SPDXID:"SPDXRef-Package-mbedTLS",
+ name:"mbedTLS",
+ versionInfo:$ver,
+ homepage: "https://www.trustedfirmware.org/projects/mbed-tls/",
+ downloadLocation: "https://github.com/Mbed-TLS/mbedtls",
+ licenseConcluded: "Apache-2.0",
+ licenseDeclared: "Apache-2.0"
+ }]] |
+ .relationships += [[{
+ type:"Relationship",
+ SPDXID:"SPDXRef-Rel-mbedTLS",
+ relationshipType:"DEPENDS_ON",
+ from:"SPDXRef-Package-libmicrohttpd2",
+ to:"SPDXRef-Package-mbedTLS"
+ }]]'
+ jq --arg ver "$dep_ver" "$jqprog" \
+ < libmicrohttpd-spdx.json \
+ > libmicrohttpd-spdx.json.tmp &&
+ mv libmicrohttpd-spdx.json.tmp libmicrohttpd-spdx.json
+ ],
+ [-lpthread], [:]
+ )
+ done
+
+ AC_MSG_NOTICE([SBOM written to libmicrohttpd-spdx.json])
+ else
+ AC_MSG_WARN([jq not available, SBOM not generated])
+ fi
+])
+
