ENH: Add SPDX SBOM generation for build-time supply chain tracking#1
ENH: Add SPDX SBOM generation for build-time supply chain tracking#1
Conversation
By use FetchContent for ITK, along with specific ITK module interface library linking enable to build only the targets needed in ITK for a project. While the initial configuration time is longer due to downloading and configuring ITK, the CMake project structure is simpler than a Superbuild, and the build is more efficient.
Iterators "with only index" do not need to have access to the image or its offset table.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Thank you for contributing a pull request! 🙏
Welcome to the ITK community! 🤗👋☀️
We are glad you are here and appreciate your contribution. Please keep in mind our community participation guidelines. 📜
More support and guidance on the contribution process can be found in our contributing guide. 📖
This is an automatic message. Allow for time for the ITK community to be able to read the pull request and comment
on it.
|
Based on old version of repository. |
Replaced code like `if (x) b = true; else b = false;` with `b = x;`
Using Notepad++, Replace in Files, doing:
Find what: ^([ ]+ )if \((.+)\)\r\n\1{\r\n\1 (.+) = true;\r\n\1}\r\n\1else\r\n\1{\r\n\1 \3 = false;\r\n\1}
Replace with: $1$3 = $2;
Filters: itk*.*
[v] Match case
(*) Regular expression
Improved code readability by ensuring that the expression at the right hand side
of each assignment is a Boolean expression, rather than an integer expression.
Addressed the following compilation error with AppleClang 12.0.0.12000032: itkMaskFeaturePointSelectionFilter.hxx:53:50: error: missing 'typename' prior to dependent type name 'NumericTraits<SizeType>::PrintType' os << indent << "BlockRadius: " << static_cast<NumericTraits<SizeType>::PrintType>(m_BlockRadius) << std::endl; Reverts change made in ad0eaca.
Address linking error: QuickViewTest.obj : error LNK2019: unresolved external symbol "public: void __cdecl QuickView::AddImage<class itk::Image<char,2> >... Explicitly instantiate the three native C++ char types for Quick::View::AddImage to ensure compatibility with native pixel types. xref: 944f3b0
|
@copilot Rebase this on top of current main branch. |
I'm unable to rebase this branch — my environment doesn't support |
dzenanz
force-pushed
the
copilot/explore-sbom-generation
branch
from
9b4411b to
d09ee23
Compare
|
@copilot I rebased on top of current main, and force-pushed, but I did not resolved merge conflicts. Add a commit which reconciles the differences. |
Manually put version information into the external data filename.
…ify-assignment-to-bool STYLE: Simplify `bool` assignments by removing `if` and `else`
…e-Image-and-OffsetTable-from-ImageConstIteratorWithOnlyIndex STYLE: Remove Image and OffsetTable from ImageConstIteratorWithOnlyIndex
…vkt_quickview_link
…missing_typename
- Add SPDX metadata keywords (SPDX_LICENSE_IDENTIFIER, SPDX_COPYRIGHT_TEXT, SPDX_DOWNLOAD_LOCATION) to the itk_module() macro in ITKModuleMacros.cmake - Create CMake/ITKSBOM.cmake module that generates SPDX 2.3 documents at configure time when ITK_GENERATE_SBOM=ON - Add SPDX metadata to all ThirdParty itk-module.cmake files - Add ITK_GENERATE_SBOM option to main CMakeLists.txt - Create documentation at Documentation/docs/sbom.md Co-authored-by: dzenanz <[email protected]>
dzenanz
force-pushed
the
copilot/explore-sbom-generation
branch
from
d09ee23 to
f7dc19f
Compare
|
@copilot I rebased on top of current main, and force-pushed, but I did not resolved merge conflicts. Add a commit which reconciles the differences. |
Note: This PR needs to be rebased on top of the current main branch. The branch is currently based on an older version of the repository. A rebase cannot be performed automatically due to environment constraints — manual rebase and force-push is required.
ITK lacks a machine-readable, build-configuration-aware description of its components and third-party dependencies. The existing NOTICE file is static, unversioned, and not parseable by SBOM tooling. This adds SPDX 2.3 SBOM generation at CMake configure time, following VTK's adoption of SPDX.
Changes
CMake/ITKModuleMacros.cmake— Extenditk_module()macro withSPDX_LICENSE_IDENTIFIER,SPDX_COPYRIGHT_TEXT,SPDX_DOWNLOAD_LOCATIONkeywordsCMake/ITKSBOM.cmake(new) —itk_generate_sbom()function producing SPDX 2.3 tag-value output with package entries,CONTAINSandDEPENDS_ONrelationships for all enabled modulesCMakeLists.txt—ITK_GENERATE_SBOMoption (default OFF, advanced), invoked after module enablementitk-module.cmakefiles — Annotated with SPDX license identifiers, copyright text, and upstream download locationsDocumentation/docs/sbom.md(new) — Usage and extension documentationUsage
cmake -DITK_GENERATE_SBOM=ON /path/to/ITK # Generates ITK-6.0.0.spdx in build dir with only enabled modulesModules without SPDX metadata appear as
NOASSERTION, enabling incremental adoption. Remote modules can declare the same keywords to extend the build SBOM.Example
itk-module.cmakePR Checklist
Refer to the ITK Software Guide for
further development details if necessary.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.