fix(sbom): adapt to upstream removal of liboqs/libxmss/liblms gates

Drop dead --dep-libxmss/liblms args after PRs wolfSSL#10292/wolfSSL#10293 removed those autoconf vars.

Author: sameehj

Makefile.am

@@ -437,12 +437,8 @@ sbom:
 	    --license-text '$(SBOM_LICENSE_TEXT)' \
 	    --options-h $(abs_builddir)/wolfssl/options.h \
 	    --lib "$$sbom_lib" \
-	    --dep-liboqs $(ENABLED_LIBOQS) \
-	    --dep-libxmss $(ENABLED_LIBXMSS) \
-	    --dep-libxmss-root '$(XMSS_ROOT)' \
-	    --dep-liblms $(ENABLED_LIBLMS) \
-	    --dep-liblms-root '$(LIBLMS_ROOT)' \
 	    --dep-libz $(ENABLED_LIBZ) \
+	    --dep-falcon $(ENABLED_FALCON) \
 	    --git '$(GIT)' \
 	    --cdx-out $(abs_builddir)/$(SBOM_CDX) \
 	    --spdx-out $(abs_builddir)/$(SBOM_SPDX); \

configure.ac

@@ -12182,11 +12182,8 @@ AC_SUBST([WOLFSSL_INCLUDEDIR_ABS])
 AC_PATH_PROG([PYTHON3], [python3])
 AC_PATH_PROG([PYSPDXTOOLS], [pyspdxtools])
 AC_PATH_PROG([GIT], [git])
-AC_SUBST([ENABLED_LIBOQS])
-AC_SUBST([ENABLED_LIBXMSS])
-AC_SUBST([ENABLED_LIBLMS])
 AC_SUBST([ENABLED_LIBZ])
-AC_SUBST([LIBLMS_ROOT])
+AC_SUBST([ENABLED_FALCON])
 
 # Bomsh (OmniBOR build artifact tracing + SBOM enrichment)
 AC_PATH_PROG([BOMTRACE3], [bomtrace3])

doc/SBOM.md

@@ -118,15 +118,12 @@ make sbom \
 
 #### External dependency version detection
 
-For dependencies with pkg-config support (`liboqs`, `libz`), the version is
-queried via `pkg-config --modversion` at generation time.
-
-For dependencies without pkg-config (`libxmss`, `liblms`), wolfSSL is
-typically built against a source checkout rather than an installed package.
-The generator falls back to `git describe --tags --always` on the source
-tree root (passed via `configure` as `XMSS_ROOT` / `LIBLMS_ROOT`).  If the
-source tree has no tags, `git describe` returns the short commit hash, which
-is recorded as-is.  If the source tree is unavailable or `git` is not found:
+The remaining optional external dependencies (`libz`, and `falcon` via
+`liboqs`) are both installed packages and are queried via
+`pkg-config --modversion` at SBOM generation time.
+
+If pkg-config does not report a version (the package is not installed, or
+its `.pc` file is missing):
 
 - SPDX records `versionInfo: NOASSERTION` and emits no `purl` external ref.
 - CycloneDX omits the `version` and `purl` fields entirely and the generator

scripts/gen-sbom

@@ -49,30 +49,17 @@ def build_timestamp():
 # Known metadata for optional external dependencies.
 # Version is detected at runtime via pkg-config; falls back to None.
 DEP_META = {
-    'liboqs': {
-        'name': 'liboqs',
-        'supplier': 'Open Quantum Safe',
+    # Falcon is reachable only via liboqs after upstream PR #10293 collapsed
+    # the rest of the PQ surface into native wolfCrypt; we record the version
+    # of liboqs itself since that is the artefact actually linked in.
+    'falcon': {
+        'name': 'falcon',
+        'supplier': 'Open Quantum Safe (via liboqs)',
         'license': 'MIT',
         'download': 'https://github.com/open-quantum-safe/liboqs',
         'pkgconfig': 'liboqs',
         'purl': lambda v: f'pkg:github/open-quantum-safe/liboqs@{v}',
     },
-    'libxmss': {
-        'name': 'xmss-reference',
-        'supplier': 'XMSS reference implementation authors',
-        'license': 'CC0-1.0',
-        'download': 'https://github.com/XMSS/xmss-reference',
-        'pkgconfig': None,
-        'purl': lambda v: f'pkg:github/XMSS/xmss-reference@{v}',
-    },
-    'liblms': {
-        'name': 'hash-sigs',
-        'supplier': 'Cisco Systems',
-        'license': 'MIT',
-        'download': 'https://github.com/cisco/hash-sigs',
-        'pkgconfig': None,
-        'purl': lambda v: f'pkg:github/cisco/hash-sigs@{v}',
-    },
     'libz': {
         'name': 'zlib',
         'supplier': 'Jean-loup Gailly and Mark Adler',
@@ -486,18 +473,10 @@ def main():
                              'licence reference.')
     parser.add_argument('--options-h', required=True,
                         help='Path to wolfssl/options.h for build config')
-    parser.add_argument('--dep-liboqs', default='no',
-                        help='yes if built with --with-liboqs')
-    parser.add_argument('--dep-libxmss', default='no',
-                        help='yes if built with --with-libxmss')
-    parser.add_argument('--dep-libxmss-root', default='',
-                        help='Path to xmss-reference source tree root')
-    parser.add_argument('--dep-liblms', default='no',
-                        help='yes if built with --with-liblms')
-    parser.add_argument('--dep-liblms-root', default='',
-                        help='Path to hash-sigs source tree root')
     parser.add_argument('--dep-libz', default='no',
                         help='yes if built with --with-libz')
+    parser.add_argument('--dep-falcon', default='no',
+                        help='yes if built with --enable-falcon (Falcon via liboqs)')
     parser.add_argument('--git', default='',
                         help='Path to git binary for version detection')
     parser.add_argument('--cdx-out', required=True,
@@ -509,17 +488,10 @@ def main():
     global GIT_BIN
     GIT_BIN = args.git or None
 
-    if args.dep_libxmss_root:
-        DEP_META['libxmss']['git_root'] = args.dep_libxmss_root
-    if args.dep_liblms_root:
-        DEP_META['liblms']['git_root'] = args.dep_liblms_root
-
     enabled_deps = [
         key for key, flag in [
-            ('liboqs',  args.dep_liboqs),
-            ('libxmss', args.dep_libxmss),
-            ('liblms',  args.dep_liblms),
             ('libz',    args.dep_libz),
+            ('falcon',  args.dep_falcon),
         ]
         if flag.lower() == 'yes'
     ]