sodgeit · Avus-c · Sep 2, 2024 · Aug 29, 2024
diff --git a/example/CMakeLists.txt b/example/CMakeLists.txt
@@ -1,57 +1,104 @@
-# SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers
-#
-# SPDX-License-Identifier: CC0-1.0
-
-# ##################################################################################################
-# Preamble
-
 cmake_minimum_required(VERSION 3.16)
 
-project(example-project)
+project(Example
+	VERSION 0.3.0
+	DESCRIPTION "Example project for SBOM-Builder"
+	LANGUAGES CXX
+	HOMEPAGE_URL "https://github.com/sodgeit/CMake-SBOM-Builder"
+)
+
+set(CMAKE_CXX_STANDARD 20)
 
 # Set some install location. This should probably be done by scripts that control CMake, but for
 # this example, embed it here.
 if(CMAKE_INSTALL_PREFIX_INITIALIZED_TO_DEFAULT)
 	set(CMAKE_INSTALL_PREFIX "${CMAKE_CURRENT_BINARY_DIR}/install" CACHE PATH "" FORCE)
 endif()
 
-# ##################################################################################################
-# SBOM setup
 
-include(../cmake/sbom.cmake)
+# This example uses CPM to download dependencies. This is not required for SBOM generation,
+# but for a simple example like this, it allows us to build the project without any dependencies.
+file(
+	DOWNLOAD
+	https://github.com/cpm-cmake/CPM.cmake/releases/download/v0.40.2/CPM.cmake
+	${CMAKE_CURRENT_BINARY_DIR}/cmake/CPM.cmake
+	EXPECTED_HASH SHA256=c8cdc32c03816538ce22781ed72964dc864b2a34a310d3b7104812a5ca2d835d
+)
+include(${CMAKE_CURRENT_BINARY_DIR}/cmake/CPM.cmake)
 
-version_extract()
 
-# Setup the SBOM to be generated during install.
+# Include the SBOM.cmake file to generate the SBOM.
+include(../cmake/sbom.cmake)
+
+# Now we can start building the sbom.
+# This is the only required call to generate the SBOM. It has to be called before any other
+# sbom_add_* function.
 sbom_generate(
-	OUTPUT
-		${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/example/sbom-${GIT_VERSION_PATH}.spdx
 	LICENSE CC0-1.0
-	SUPPLIER Example
-	SUPPLIER_URL https://example_company.com
+	SUPPLIER ${PROJECT_NAME}
+	SUPPLIER_URL ${PROJECT_HOMEPAGE_URL}
 )
 
-# ##################################################################################################
-# Example binary
+# mention the dependencies used in the SBOM
+CPMAddPackage( "gh:jarro2783/[email protected]" )
+sbom_add_package(
+	cxxopts
+	VERSION 3.2.0
+	SUPPLIER "Jarryd Beck (https://github.com/jarro2783/cxxopts)"
+	LICENSE MIT
+)
 
-# We now have set GIT_VERSION and friends set to the current project's version.  We also have a
-# version static library, version.sh and version.txt for further processing.
-version_generate()
+CPMAddPackage(
+	NAME Boost
+	VERSION 1.85.0
+	URL https://github.com/boostorg/boost/releases/download/boost-1.85.0/boost-1.85.0-cmake.tar.gz
+	URL_HASH SHA256=ab9c9c4797384b0949dd676cf86b4f99553f8c148d767485aaac412af25183e6
+	OPTIONS "BOOST_INCLUDE_LIBRARIES algorithm"
+)
+sbom_add_package(
+	Boost
+	VERSION "1.85.0"
+	SUPPLIER "https://www.boost.org"
+	LICENSE BSL-1.0
+)
+
+# The SBOM-Builder does not have a built-in feature to add
+# something conditionally. You have to use CMake's controlflow.
+if(SOME_FLAG_ENABLED)
+	find_package(some_package 8.0.1 REQUIRED)
+	sbom_add_package(
+		package
+		VERSION 8.0.1
+		SUPPLIER "Some Supplier"
+		LICENSE MIT
+	)
+endif()
 
 add_executable(example example.cpp)
-target_link_libraries(example ${PROJECT_NAME}-version)
 
-# Install the application.
-install(TARGETS example RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
+# generate the version header and script files
+version_generate()
 
-# Mention the example binary in the SBOM.
-sbom_add_target(example)
+target_link_libraries(example
+	PRIVATE
+	${PROJECT_NAME}-version # this is the generated version target
+	cxxopts
+	Boost::algorithm
+)
+
+# Now mention all files that would be contained in a distributed archive/package.
+
+# Install the version header and mention it in the SBOM.
+install(FILES ${VERSION_INC_DIR}/${PROJECT_NAME}_version.h DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})
+sbom_add_file(${CMAKE_INSTALL_INCLUDEDIR}/${PROJECT_NAME}_version.h FILETYPE SOURCE)
 
 # Install some other documentation (the version in this case).
 install(FILES ${VERSION_DOC_DIR}/version.txt DESTINATION ${CMAKE_INSTALL_DATAROOTDIR}/example)
-
-# Mention the version file in the SBOM.
 sbom_add_file(${CMAKE_INSTALL_DATAROOTDIR}/example/version.txt FILETYPE DOCUMENTATION TEXT)
 
-# Trigger SBOM finalization and verification.
+# Install the application & mention the example binary in the SBOM.
+install(TARGETS example RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
+sbom_add_target(example)
+
+# Trigger SBOM finalization.
 sbom_finalize()
diff --git a/example/example.cpp b/example/example.cpp
@@ -1,13 +1,39 @@
-// SPDX-FileCopyrightText: 2023-2024 Jochem Rutgers
-//
-// SPDX-License-Identifier: CC0-1.0
+#include <cstdio>
 
-// Include generated version header file.
-#include <example-project_version.h>
+#include <Example_version.h>
+#include <boost/algorithm/clamp.hpp>
+#include <cxxopts.hpp>
 
-#include <cstdio>
-
-int main()
+int main(int argc, char* argv[])
 {
-	printf("Our version is: %s\n", EXAMPLE_PROJECT_VERSION);
+	printf("This projects version is: %s", EXAMPLE_VERSION);
+
+	// clang-format off
+	cxxopts::Options options("CPM-Test", "Testing CPM");
+	options.add_options()
+		("a", "Option A")
+		("b", "Option B")
+		("c", "Option C");
+	// clang-format on
+
+	auto result = options.parse(argc, argv);
+
+	if (result["a"].as<bool>())
+	{
+		printf("Option 'a' is set");
+	}
+	if (result["b"].as<bool>())
+	{
+		printf("Option 'b' is set");
+	}
+	if (result["c"].as<bool>())
+	{
+		printf("Option 'c' is set");
+	}
+
+	printf("Boost clamp: %d", boost::algorithm::clamp(5, 0, 10));
+	printf("Boost clamp: %d", boost::algorithm::clamp(5, 7, 10));
+	printf("Boost clamp: %d", boost::algorithm::clamp(5, 0, 3));
+
+	exit(EXIT_SUCCESS);
 }
diff --git a/example/output/Example-sbom-0.3.0.spdx b/example/output/Example-sbom-0.3.0.spdx
@@ -0,0 +1,94 @@
+SPDXVersion: SPDX-2.3
+DataLicense: CC0-1.0
+SPDXID: SPDXRef-DOCUMENT
+DocumentName: Example-sbom-v0.3.0-13-gd5b28ae+comprehensive-example+dirty.spdx
+DocumentNamespace: https://github.com/sodgeit/CMake-SBOM-Builder/spdxdocs/Example-v0.3.0-13-gd5b28ae+comprehensive-example+dirty
+Creator: Organization: Example
+Creator: Tool: CMake-SBOM-Builder-0.0.0-development-version
+CreatorComment: <text>This SPDX document was created from CMake 3.30.1, using CMake-SBOM-Builder from https://github.com/sodgeit/CMake-SBOM-Builder</text>
+Created: 2024-08-29T09:16:55Z
+
+PackageName: Clang
+SPDXID: SPDXRef-compiler
+PackageVersion: 18.1.8
+PackageDownloadLocation: NOASSERTION
+PackageLicenseConcluded: NOASSERTION
+PackageLicenseDeclared: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageSupplier: Organization: Anonymous
+FilesAnalyzed: false
+PackageSummary: <text>The compiler as identified by CMake, running on Windows (AMD64)</text>
+PrimaryPackagePurpose: APPLICATION
+Relationship: SPDXRef-compiler CONTAINS NOASSERTION
+Relationship: SPDXRef-compiler BUILD_DEPENDENCY_OF SPDXRef-Example
+RelationshipComment: <text>SPDXRef-Example is built by compiler Clang (C:/Program Files/LLVM/bin/clang++.exe) version 18.1.8</text>
+
+PackageName: Example
+SPDXID: SPDXRef-Example
+ExternalRef: SECURITY cpe23Type cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*
+ExternalRef: PACKAGE-MANAGER purl pkg:supplier/Example/[email protected]+comprehensive-example+dirty
+PackageVersion: v0.3.0-13-gd5b28ae+comprehensive-example+dirty
+PackageSupplier: Organization: Example
+PackageDownloadLocation: NOASSERTION
+PackageLicenseConcluded: CC0-1.0
+PackageLicenseDeclared: CC0-1.0
+PackageCopyrightText: 2024;Example
+PackageHomePage: https://github.com/sodgeit/CMake-SBOM-Builder
+PackageComment: <text>Built by CMake 3.30.1 with Release configuration for Windows (AMD64)</text>
+PackageVerificationCode: eab840722ebab9379e046b88ce0e6f6f616a2eb6
+BuiltDate: 2024-08-29T09:16:55Z
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Example
+
+PackageName: cxxopts
+SPDXID: SPDXRef-cxxopts-0
+ExternalRef: SECURITY cpe23Type cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*
+PackageDownloadLocation: NOASSERTION
+PackageLicenseDeclared: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageVersion: 3.2.0
+PackageSupplier: Jarryd Beck (https://github.com/jarro2783/cxxopts)
+FilesAnalyzed: false
+PackageLicenseConcluded: MIT
+Relationship: SPDXRef-Example DEPENDS_ON SPDXRef-cxxopts-0
+Relationship: SPDXRef-cxxopts-0 CONTAINS NOASSERTION
+
+PackageName: Boost
+SPDXID: SPDXRef-Boost-1
+ExternalRef: SECURITY cpe23Type cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*
+PackageDownloadLocation: NOASSERTION
+PackageLicenseDeclared: NOASSERTION
+PackageCopyrightText: NOASSERTION
+PackageVersion: 1.85.0
+PackageSupplier: https://www.boost.org
+FilesAnalyzed: false
+PackageLicenseConcluded: BSL-1.0
+Relationship: SPDXRef-Example DEPENDS_ON SPDXRef-Boost-1
+Relationship: SPDXRef-Boost-1 CONTAINS NOASSERTION
+
+FileName: ./include/Example_version.h
+SPDXID: SPDXRef-include-Example-version-h-2
+FileType: SOURCE
+FileChecksum: SHA1: d8531f8bb2896353ae13c24ec84324ebbc11a1e4
+LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
+Relationship: SPDXRef-Example CONTAINS SPDXRef-include-Example-version-h-2
+
+FileName: ./share/example/version.txt
+SPDXID: SPDXRef-share-example-version-txt-3
+FileType: DOCUMENTATION
+FileType: TEXT
+FileChecksum: SHA1: ad9f5f85711c66b6fce6975f6b7c489863e60974
+LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
+Relationship: SPDXRef-Example CONTAINS SPDXRef-share-example-version-txt-3
+
+FileName: ./bin/example.exe
+SPDXID: SPDXRef-bin-TARGET-FILE-NAME-example-4
+FileType: BINARY
+FileChecksum: SHA1: eaf3cf61d5fdccd5fc90dbfe6ec3aa4da3641754
+LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
+Relationship: SPDXRef-Example CONTAINS SPDXRef-bin-TARGET-FILE-NAME-example-4
diff --git a/example/output/sbom-1.1.2.spdx b/example/output/sbom-1.1.2.spdx