diff --git a/example/CMakeLists.txt b/example/CMakeLists.txt index 35af0fa..e29e52c 100644 --- a/example/CMakeLists.txt +++ b/example/CMakeLists.txt @@ -1,13 +1,13 @@ -# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers -# -# SPDX-License-Identifier: CC0-1.0 - -# ################################################################################################## -# Preamble - cmake_minimum_required(VERSION 3.16) -project(example-project) +project(Example + VERSION 0.3.0 + DESCRIPTION "Example project for SBOM-Builder" + LANGUAGES CXX + HOMEPAGE_URL "https://github.com/sodgeit/CMake-SBOM-Builder" +) + +set(CMAKE_CXX_STANDARD 20) # Set some install location. This should probably be done by scripts that control CMake, but for # this example, embed it here. @@ -15,43 +15,90 @@ if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT) set(CMAKE_INSTALL_PREFIX "${CMAKE_CURRENT_BINARY_DIR}/install" CACHE PATH "" FORCE) endif() -# ################################################################################################## -# SBOM setup -include(../cmake/sbom.cmake) +# This example uses CPM to download dependencies. This is not required for SBOM generation, +# but for a simple example like this, it allows us to build the project without any dependencies. +file( + DOWNLOAD + https://github.com/cpm-cmake/CPM.cmake/releases/download/v0.40.2/CPM.cmake + ${CMAKE_CURRENT_BINARY_DIR}/cmake/CPM.cmake + EXPECTED_HASH SHA256=c8cdc32c03816538ce22781ed72964dc864b2a34a310d3b7104812a5ca2d835d +) +include(${CMAKE_CURRENT_BINARY_DIR}/cmake/CPM.cmake) -version_extract() -# Setup the SBOM to be generated during install. +# Include the SBOM.cmake file to generate the SBOM. +include(../cmake/sbom.cmake) + +# Now we can start building the sbom. +# This is the only required call to generate the SBOM. It has to be called before any other +# sbom_add_* function. sbom_generate( - OUTPUT - ${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/example/sbom-${GIT_VERSION_PATH}.spdx LICENSE CC0-1.0 - SUPPLIER Example - SUPPLIER_URL https://example_company.com + SUPPLIER ${PROJECT_NAME} + SUPPLIER_URL ${PROJECT_HOMEPAGE_URL} ) -# ################################################################################################## -# Example binary +# mention the dependencies used in the SBOM +CPMAddPackage( "gh:jarro2783/cxxopts@3.2.0" ) +sbom_add_package( + cxxopts + VERSION 3.2.0 + SUPPLIER "Jarryd Beck (https://github.com/jarro2783/cxxopts)" + LICENSE MIT +) -# We now have set GIT_VERSION and friends set to the current project's version. We also have a -# version static library, version.sh and version.txt for further processing. -version_generate() +CPMAddPackage( + NAME Boost + VERSION 1.85.0 + URL https://github.com/boostorg/boost/releases/download/boost-1.85.0/boost-1.85.0-cmake.tar.gz + URL_HASH SHA256=ab9c9c4797384b0949dd676cf86b4f99553f8c148d767485aaac412af25183e6 + OPTIONS "BOOST_INCLUDE_LIBRARIES algorithm" +) +sbom_add_package( + Boost + VERSION "1.85.0" + SUPPLIER "https://www.boost.org" + LICENSE BSL-1.0 +) + +# The SBOM-Builder does not have a built-in feature to add +# something conditionally. You have to use CMake's controlflow. +if(SOME_FLAG_ENABLED) + find_package(some_package 8.0.1 REQUIRED) + sbom_add_package( + package + VERSION 8.0.1 + SUPPLIER "Some Supplier" + LICENSE MIT + ) +endif() add_executable(example example.cpp) -target_link_libraries(example ${PROJECT_NAME}-version) -# Install the application. -install(TARGETS example RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}) +# generate the version header and script files +version_generate() -# Mention the example binary in the SBOM. -sbom_add_target(example) +target_link_libraries(example + PRIVATE + ${PROJECT_NAME}-version # this is the generated version target + cxxopts + Boost::algorithm +) + +# Now mention all files that would be contained in a distributed archive/package. + +# Install the version header and mention it in the SBOM. +install(FILES ${VERSION_INC_DIR}/${PROJECT_NAME}_version.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}) +sbom_add_file(${CMAKE_INSTALL_INCLUDEDIR}/${PROJECT_NAME}_version.h FILETYPE SOURCE) # Install some other documentation (the version in this case). install(FILES ${VERSION_DOC_DIR}/version.txt DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/example) - -# Mention the version file in the SBOM. sbom_add_file(${CMAKE_INSTALL_DATAROOTDIR}/example/version.txt FILETYPE DOCUMENTATION TEXT) -# Trigger SBOM finalization and verification. +# Install the application & mention the example binary in the SBOM. +install(TARGETS example RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}) +sbom_add_target(example) + +# Trigger SBOM finalization. sbom_finalize() diff --git a/example/example.cpp b/example/example.cpp index 705ccd3..a262459 100644 --- a/example/example.cpp +++ b/example/example.cpp @@ -1,13 +1,39 @@ -// SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers -// -// SPDX-License-Identifier: CC0-1.0 +#include -// Include generated version header file. -#include +#include +#include +#include -#include - -int main() +int main(int argc, char* argv[]) { - printf("Our version is: %s\n", EXAMPLE_PROJECT_VERSION); + printf("This projects version is: %s", EXAMPLE_VERSION); + + // clang-format off + cxxopts::Options options("CPM-Test", "Testing CPM"); + options.add_options() + ("a", "Option A") + ("b", "Option B") + ("c", "Option C"); + // clang-format on + + auto result = options.parse(argc, argv); + + if (result["a"].as()) + { + printf("Option 'a' is set"); + } + if (result["b"].as()) + { + printf("Option 'b' is set"); + } + if (result["c"].as()) + { + printf("Option 'c' is set"); + } + + printf("Boost clamp: %d", boost::algorithm::clamp(5, 0, 10)); + printf("Boost clamp: %d", boost::algorithm::clamp(5, 7, 10)); + printf("Boost clamp: %d", boost::algorithm::clamp(5, 0, 3)); + + exit(EXIT_SUCCESS); } diff --git a/example/output/Example-sbom-0.3.0.spdx b/example/output/Example-sbom-0.3.0.spdx new file mode 100644 index 0000000..7c445bc --- /dev/null +++ b/example/output/Example-sbom-0.3.0.spdx @@ -0,0 +1,94 @@ +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: Example-sbom-v0.3.0-13-gd5b28ae+comprehensive-example+dirty.spdx +DocumentNamespace: https://github.com/sodgeit/CMake-SBOM-Builder/spdxdocs/Example-v0.3.0-13-gd5b28ae+comprehensive-example+dirty +Creator: Organization: Example +Creator: Tool: CMake-SBOM-Builder-0.0.0-development-version +CreatorComment: This SPDX document was created from CMake 3.30.1, using CMake-SBOM-Builder from https://github.com/sodgeit/CMake-SBOM-Builder +Created: 2024-08-29T09:16:55Z + +PackageName: Clang +SPDXID: SPDXRef-compiler +PackageVersion: 18.1.8 +PackageDownloadLocation: NOASSERTION +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +PackageSupplier: Organization: Anonymous +FilesAnalyzed: false +PackageSummary: The compiler as identified by CMake, running on Windows (AMD64) +PrimaryPackagePurpose: APPLICATION +Relationship: SPDXRef-compiler CONTAINS NOASSERTION +Relationship: SPDXRef-compiler BUILD_DEPENDENCY_OF SPDXRef-Example +RelationshipComment: SPDXRef-Example is built by compiler Clang (C:/Program Files/LLVM/bin/clang++.exe) version 18.1.8 + +PackageName: Example +SPDXID: SPDXRef-Example +ExternalRef: SECURITY cpe23Type cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:* +ExternalRef: PACKAGE-MANAGER purl pkg:supplier/Example/Example@v0.3.0-13-gd5b28ae+comprehensive-example+dirty +PackageVersion: v0.3.0-13-gd5b28ae+comprehensive-example+dirty +PackageSupplier: Organization: Example +PackageDownloadLocation: NOASSERTION +PackageLicenseConcluded: CC0-1.0 +PackageLicenseDeclared: CC0-1.0 +PackageCopyrightText: 2024;Example +PackageHomePage: https://github.com/sodgeit/CMake-SBOM-Builder +PackageComment: Built by CMake 3.30.1 with Release configuration for Windows (AMD64) +PackageVerificationCode: eab840722ebab9379e046b88ce0e6f6f616a2eb6 +BuiltDate: 2024-08-29T09:16:55Z +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Example + +PackageName: cxxopts +SPDXID: SPDXRef-cxxopts-0 +ExternalRef: SECURITY cpe23Type cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:* +PackageDownloadLocation: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +PackageVersion: 3.2.0 +PackageSupplier: Jarryd Beck (https://github.com/jarro2783/cxxopts) +FilesAnalyzed: false +PackageLicenseConcluded: MIT +Relationship: SPDXRef-Example DEPENDS_ON SPDXRef-cxxopts-0 +Relationship: SPDXRef-cxxopts-0 CONTAINS NOASSERTION + +PackageName: Boost +SPDXID: SPDXRef-Boost-1 +ExternalRef: SECURITY cpe23Type cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:* +PackageDownloadLocation: NOASSERTION +PackageLicenseDeclared: NOASSERTION +PackageCopyrightText: NOASSERTION +PackageVersion: 1.85.0 +PackageSupplier: https://www.boost.org +FilesAnalyzed: false +PackageLicenseConcluded: BSL-1.0 +Relationship: SPDXRef-Example DEPENDS_ON SPDXRef-Boost-1 +Relationship: SPDXRef-Boost-1 CONTAINS NOASSERTION + +FileName: ./include/Example_version.h +SPDXID: SPDXRef-include-Example-version-h-2 +FileType: SOURCE +FileChecksum: SHA1: d8531f8bb2896353ae13c24ec84324ebbc11a1e4 +LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION +Relationship: SPDXRef-Example CONTAINS SPDXRef-include-Example-version-h-2 + +FileName: ./share/example/version.txt +SPDXID: SPDXRef-share-example-version-txt-3 +FileType: DOCUMENTATION +FileType: TEXT +FileChecksum: SHA1: ad9f5f85711c66b6fce6975f6b7c489863e60974 +LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION +Relationship: SPDXRef-Example CONTAINS SPDXRef-share-example-version-txt-3 + +FileName: ./bin/example.exe +SPDXID: SPDXRef-bin-TARGET-FILE-NAME-example-4 +FileType: BINARY +FileChecksum: SHA1: eaf3cf61d5fdccd5fc90dbfe6ec3aa4da3641754 +LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION +FileCopyrightText: NOASSERTION +Relationship: SPDXRef-Example CONTAINS SPDXRef-bin-TARGET-FILE-NAME-example-4 diff --git a/example/output/sbom-1.1.2.spdx b/example/output/sbom-1.1.2.spdx deleted file mode 100644 index 311ed2e..0000000 --- a/example/output/sbom-1.1.2.spdx +++ /dev/null @@ -1,59 +0,0 @@ -SPDXVersion: SPDX-2.3 -DataLicense: CC0-1.0 -SPDXID: SPDXRef-DOCUMENT -DocumentName: sbom-1 -DocumentNamespace: https://demcon.com/spdxdocs/example-project-1.1.2 -Creator: Organization: Demcon -Creator: Tool: cmake-sbom -CreatorComment: This SPDX document was created from CMake 3.21.0, using cmake-sbom -from https://github.com/DEMCON/cmake-sbom -Created: 2024-05-23T21:45:34Z - -PackageName: GNU -SPDXID: SPDXRef-compiler -PackageVersion: 11.4.0 -PackageDownloadLocation: NOASSERTION -PackageLicenseConcluded: NOASSERTION -PackageLicenseDeclared: NOASSERTION -PackageCopyrightText: NOASSERTION -PackageSupplier: Organization: Anonymous -FilesAnalyzed: false -PackageSummary: The compiler as identified by CMake, running on Linux (x86_64) -PrimaryPackagePurpose: APPLICATION -Relationship: SPDXRef-compiler CONTAINS NOASSERTION -Relationship: SPDXRef-compiler BUILD_DEPENDENCY_OF SPDXRef-Package-example-project -RelationshipComment: SPDXRef-Package-example-project is built by compiler GNU (/usr/bin/c++) version 11.4.0 - -PackageName: example-project -SPDXID: SPDXRef-Package-example-project -ExternalRef: SECURITY cpe23Type cpe:2.3:o:canonical:ubuntu_linux:-:*:*:*:*:*:x86_64:* -ExternalRef: PACKAGE-MANAGER purl pkg:supplier/Demcon/example-project@1.1.2 -PackageVersion: 1.1.2 -PackageSupplier: Organization: Demcon -PackageDownloadLocation: NOASSERTION -PackageLicenseConcluded: CC0-1.0 -PackageLicenseDeclared: CC0-1.0 -PackageCopyrightText: 2024 Demcon -PackageHomePage: https://demcon.com -PackageComment: Built by CMake 3.21.0 with Debug configuration for Linux (x86_64) -PackageVerificationCode: e7587f0702027a367d76cd9b07918233ddd9c298 -BuiltDate: 2024-05-23T21:45:34Z -Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-example-project - -FileName: ./bin/example -SPDXID: SPDXRef-bin-TARGET-FILE-NAME-example-0 -FileType: BINARY -FileChecksum: SHA1: 7a9bd3c9f411cf5805e42bfaaea9fe965a2cfeeb -LicenseConcluded: NOASSERTION -LicenseInfoInFile: NOASSERTION -FileCopyrightText: NOASSERTION -Relationship: SPDXRef-Package-example-project CONTAINS SPDXRef-bin-TARGET-FILE-NAME-example-0 - -FileName: ./share/example/version.txt -SPDXID: SPDXRef-share-example-version-txt-1 -FileType: DOCUMENTATION -FileChecksum: SHA1: e3429934f4f3ac1c68dc8b2eef6c7df0aa7a7f9c -LicenseConcluded: NOASSERTION -LicenseInfoInFile: NOASSERTION -FileCopyrightText: NOASSERTION -Relationship: SPDXRef-Package-example-project CONTAINS SPDXRef-share-example-version-txt-1