Dev

.cmake-format

@@ -12,7 +12,11 @@ parse:
     sbom_generate:
       kwargs:
         OUTPUT: 1
+        INPUT: '*'
+        COPYRIGHT: 1
         LICENSE: 1
+        NAMESPACE: 1
+        PROJECT: 1
         SUPPLIER: 1
         SUPPLIER_URL: 1
     sbom_file:
@@ -59,6 +63,7 @@ parse:
         DOWNLOAD_LOCATION: 1
         EXTERNAL: 1
         RENAME: 1
+        SUPPLIER: 1
 
 format:
   line_width: 100

.github/workflows/ci.yml

@@ -25,9 +25,20 @@ jobs:
       - name: build
         run: dist/ubuntu/build.sh
 
+  build-macos:
+    runs-on: macos-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+      - name: bootstrap
+        run: |
+          dist/macos/bootstrap.sh
+      - name: build
+        run: dist/macos/build.sh
+
   # Dummy job that depends on all other build-* jobs.
   build-all-check:
-    needs: [build-ubuntu]
+    needs: [build-ubuntu, build-macos]
     runs-on: ubuntu-latest
     if: success()
     outputs:

CMakeLists.txt

@@ -15,3 +15,4 @@ include(sbom)
 reuse_lint()
 
 add_subdirectory(example)
+add_subdirectory(test)

README.rst

@@ -147,6 +147,7 @@ Generate the header of the SBOM, based on a standard template where the given de
 
    sbom_generate(
       [OUTPUT <filename>]
+      [INPUT <filename>...]
       [COPYRIGHT <string>]
       [LICENSE <string>]
       [NAMESPACE <URI>]
@@ -158,6 +159,14 @@ Generate the header of the SBOM, based on a standard template where the given de
 ``OUTPUT``
    Output filename.
    It should probably start with ``${CMAKE_INSTALL_PREFIX}``, as the file is generated during ``install``.
+   The variable ``SBOM_FILENAME`` is set to the full path.
+
+``INPUT``
+   One or more file names, which are concatenated into the SBOM output file.
+   Variables and generator expressions are supported in these files.
+   Variables in the form ``@var@`` are replaced during config, ``${var}`` during install.
+   When omitted, a standard document/package SBOM is generated.
+   The other parameters can be referenced in the input files, prefixed with ``SBOM_GENERATE_``.
 
 ``COPYRIGHT``
    Copyright information.
@@ -177,24 +186,11 @@ Generate the header of the SBOM, based on a standard template where the given de
 
 ``SUPPLIER``
    Supplier name.
-   It may be omitted when the variable ``SBOM_SUPPLIER`` is set.
+   It may be omitted when the variable ``SBOM_SUPPLIER`` is set or when any ``INPUT`` is given.
 
 ``SUPPLIER_URL``
    Supplier home page.
-   It may be omitted when the variable ``SBOM_SUPPLIER_URL`` is set.
-
-Alternatively, you can specify your own template.
-
-.. code:: cmake
-
-   sbom_generate(
-      [OUTPUT <filename>]
-      INPUT <filename>...
-   )
-
-``INPUT``
-   One or more file names, which are concatenated into the SBOM output file.
-   Variables and generator expressions are supported in these files.
+   It may be omitted when the variable ``SBOM_SUPPLIER_URL`` is set or when any ``INPUT`` is given.
 
 ``sbom_add``
 ````````````
@@ -225,7 +221,7 @@ Add something to the SBOM.
    Refer to the `SPDX specification <SPDX>`_.
 
 ``SPDXID``
-   The ID to use.
+   The ID to use for identifier generation.
    By default, generate a new one.
    Whether or not this is specified, the variable ``SBOM_LAST_SPDXID`` is set to just generated/used SPDXID, which could be used for later relationship definitions.
 
@@ -258,7 +254,7 @@ Add something to the SBOM.
 
    sbom_add(
       PACKAGE <name>
-      DOWNLOAD_LOCATION <URL>
+      [DOWNLOAD_LOCATION <URL>]
       [EXTREF <ref>...]
       [LICENSE <string>]
       [RELATIONSHIP <string>]
@@ -325,7 +321,28 @@ Finalize the SBOM and verify its contents and/or format.
 
 .. code:: cmake
 
-   sbom_finalize()
+   sbom_finalize(
+      [NO_VERIFY | VERIFY]
+   )
+
+   sbom_finalize(
+      GRAPH <filename>
+   )
+
+``NO_VERIFY``
+   Do not run the verification against the generated SBOM.
+   By default, verification is only performed when python3 is found with the appropriate packages.
+
+``VERIFY``
+   Always run the verification against the generated SBOM.
+   Make sure to install ``dist/common/requirements.txt`` in your python environment first.
+
+``GRAPH``
+   Generate a dependency graph of the SBOM.
+   This implies ``VERIFY``.
+   It requires ``spdx-tools[graph_generation]`` python package to be installed first.
+
+
 
 License
 -------