chore(sbom): minor cleanups from code review

sameehj · sameehj · commit 3d5668e57fd6 · 2026-05-01T11:18:25.000+03:00
Refresh stale Makefile.am comment about SBOM_LICENSE_TEXT, clarify
build_extracted_licensing_infos docstring, and replace a hardcoded
wolfssl-5.9.1.spdx.json check with the wildcard glob used elsewhere.

Signed-off-by: Sameeh Jubran &lt;sameeh@wolfssl.com&gt;
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -220,9 +220,10 @@ jobs:
           grep -q 'license-text was not provided' /tmp/err || \
               { echo "FAIL: error message missing actionable hint"; \
                 cat /tmp/err; exit 1; }
-          test ! -f wolfssl-5.9.1.spdx.json || \
-              { echo "FAIL: SBOM file should not exist after refusal"; \
-                exit 1; }
+          if ls wolfssl-*.spdx.json >/dev/null 2>&1; then
+              echo "FAIL: SBOM file should not exist after refusal"
+              exit 1
+          fi
 
       - name: License matrix - compound expression
         run: |
diff --git a/Makefile.am b/Makefile.am
@@ -385,8 +385,8 @@ WOLFSSL_LIB_DSO_BASENAMES = \
 #   SBOM_LICENSE_TEXT      Path to the actual licence text for any
 #                          LicenseRef-* in SBOM_LICENSE_OVERRIDE.  Required
 #                          for SPDX 2.3 conformance whenever a custom
-#                          LicenseRef is in use; without it the SBOM embeds
-#                          a placeholder and validators may reject it.
+#                          LicenseRef is in use; `make sbom` exits with an
+#                          error if it is missing.
 sbom:
 	@if test -z "$(PYTHON3)"; then \
 	    echo ""; \
diff --git a/scripts/gen-sbom b/scripts/gen-sbom
@@ -126,6 +126,10 @@ def build_extracted_licensing_infos(license_expr, license_text):
     `licenseDeclared` to be declared once at document level via
     `hasExtractedLicensingInfos`.  Returns None when no LicenseRef-* is
     present so the caller can omit the field entirely.
+
+    `license_text=None` produces a placeholder entry; main() rejects
+    that combination upfront, so this fallback is only reachable from
+    direct programmatic callers (e.g. tests, library reuse).
     """
     refs = extract_license_refs(license_expr)
     if not refs:
