ENH: Generate SPDX 2.3 Software Bill of Materials at configure time

[Copilot]

Add SPDX 2.3 SBOM generation at CMake configure time, producing sbom.spdx.json in the build directory with all enabled ThirdParty modules and their metadata. Per-module SPDX metadata is co-located in each module's itk-module.cmake file. Fixes #4302.

Commit breakdown (7 independent commits)

1. Core SBOM generation — ITKSBOMGeneration.cmake with itk_generate_sbom(), itk_sbom_register_package() for remote modules, FFTW GPL tracking, install rule
2. Distribute metadata to modules — Extend itk_module() with SPDX_LICENSE, SPDX_DOWNLOAD_LOCATION, SPDX_COPYRIGHT, SPDX_CUSTOM_LICENSE_TEXT/NAME; populate all 23 ThirdParty modules
3. Fix JSON escaping bug — Custom license names/texts in hasExtractedLicensingInfo were not escaped
4. Add SPDX_VERSION — New itk_module() parameter; versions for 11 modules (Eigen3 3.4.90, Expat 2.7.4, GoogleTest 1.17.0, HDF5 1.14.5, JPEG/libjpeg-turbo 3.0.4, MINC 2.4.06, NIFTI 3.0.0, OpenJPEG 2.5.4, PNG 1.6.54, TIFF 4.7.0, ZLIB 2.2.5); fix Eigen3 license to MPL-2.0 OR Apache-2.0
5. SBOM JSON validation test — ITKSBOMValidation CTest checks JSON syntax, SPDX 2.3 fields, package uniqueness
6. Version consistency test — VerifySPDXVersions.py cross-checks SPDX_VERSION against UpdateFromUpstream.sh tags (8 of 16 modules with parseable version tags)
7. Warn on missing SPDX metadata — AUTHOR_WARNING for enabled ThirdParty modules lacking SPDX_LICENSE

Remote module extensibility

itk_sbom_register_package(
  NAME "MyRemoteModule"
  VERSION "1.0.0"
  SPDX_LICENSE "Apache-2.0"
  DOWNLOAD_LOCATION "https://github.com/example/MyRemoteModule"
  SUPPLIER "Organization: Example"
  COPYRIGHT "Copyright Example Inc."
)

Known limitations

• 12 ThirdParty modules without SPDX_VERSION (track master, commit SHAs, or custom tags in UpdateFromUpstream.sh)
• DCMTK and GDCM license expressions may need refinement (both listed as BSD-3-Clause but contain sub-components with different licenses)
• Phase 2 of Generate a Software Bill of Materials at Build Time #4302 (SPDX source file headers) is a separate effort
• NOTICE file is not yet deprecated/replaced

[blowekamp]

The VTK modular system uses arguments to the main module macro for the license information: https://docs.vtk.org/en/latest/api/cmake/vtkModule.html#vtk-module-file-contents

I think it is worth a human conversation to decide if this information should have a public interface with the main module macro or if it should be separate. The man macro certainly could call a private function such as these.

I was just looking into moving FFTW into a third party library structure. With the varied backed-ends supported it is a dynamic case to support, and very relevant to license requirements.

Having all the module information defined, along with the license information maybe beneficial to keep some information consistent, and apply certain logic or enforcement such as defaulting internal module to ITK license while requiring remote modules to have these attributes.

[dzenanz]

Copilot's first PR seems better to me (easier to maintain), with license information distributed in Modules/ThirdParty/ModuleName/itk-module.cmake‎ files instead of being concentrated in CMake/ITKSBOMGeneration.cmake.

[dzenanz]

@copilot Make license and other per-module information distributed in Modules/ThirdParty/ModuleName/itk-module.cmake‎ files instead of being concentrated in CMake/ITKSBOMGeneration.cmake. This will put third party license information into a more intuitive location for easier maintenance.

[dzenanz]

More importantly, I am unfamiliar with SPDX and therefore will not be able to tell whether Copilot does a great or terrible job (or somewhere in between).

[dzenanz]

@copilot Make license and other per-module information distributed in Modules/ThirdParty/ModuleName/itk-module.cmake‎ files instead of being concentrated in CMake/ITKSBOMGeneration.cmake. This will put third party license information into a more intuitive location for easier maintenance.

[dzenanz]

@copilot Make license and other per-module information distributed in Modules/ThirdParty/ModuleName/itk-module.cmake‎ files instead of being concentrated in CMake/ITKSBOMGeneration.cmake. This will put third party license information into a more intuitive location for easier maintenance.

[Copilot]

@copilot Make license and other per-module information distributed in Modules/ThirdParty/ModuleName/itk-module.cmake‎ files instead of being concentrated in `CMake/ITKSBOMGeneratio...

Done in 8692d2d and 50daeeb. SPDX metadata is now declared directly in each Modules/ThirdParty/*/itk-module.cmake file via new itk_module() parameters: SPDX_LICENSE, SPDX_DOWNLOAD_LOCATION, SPDX_COPYRIGHT, SPDX_CUSTOM_LICENSE_TEXT, and SPDX_CUSTOM_LICENSE_NAME. The centralized _itk_sbom_get_thirdparty_metadata() lookup table has been removed from ITKSBOMGeneration.cmake — it now reads metadata from module declarations. Remote modules can also use the same itk_module() parameters or the itk_sbom_register_package() function.

[greptile-apps]

Greptile Summary

This PR adds SPDX 2.3 SBOM generation at CMake configure time (ITKSBOMGeneration.cmake), extends itk_module() with SPDX metadata fields, populates all 23 ThirdParty modules, and adds CTest validation plus a version-consistency script. Two fixable defects in the core JSON-building logic should be addressed before merging:

• Unescaped JSON fields: _pkg_copyright, _pkg_download, _pkg_version, and _pkg_license are inserted into the JSON document without calling _itk_sbom_json_escape() (only _pkg_description is escaped). A copyright string containing \" or \\ would silently produce an invalid sbom.spdx.json. The same gap exists in itk_sbom_register_package.
• Python3 guard missing: ITKSBOMValidation.cmake registers two CTest tests using ${Python3_EXECUTABLE} without checking if Python3 was found, creating broken tests in non-Python configurations.

Confidence Score: 4/5

Safe to merge after fixing the JSON-escaping omission and adding a Python3 guard in the validation cmake.

Two P1 defects exist: unescaped copyright/download/license fields that would corrupt the generated SBOM if any value contains a double-quote or backslash, and a missing Python3 availability check that produces broken CTest entries in non-Python configurations. Both are straightforward to fix. The remaining findings are P2 style/maintenance items.

CMake/ITKSBOMGeneration.cmake (JSON escaping, foreach pattern), CMake/ITKSBOMValidation.cmake (Python3 guard), Modules/ThirdParty/PNG/itk-module.cmake (SPDX license ID)

Important Files Changed

Filename	Overview
CMake/ITKSBOMGeneration.cmake	New file: core SBOM generation. P1 — _pkg_copyright, _pkg_download, _pkg_license, and _pkg_version are inserted into JSON without escaping (unlike _pkg_description). P2 — foreach over unquoted list variable; hardcoded licenseListVersion.
CMake/ITKSBOMValidation.cmake	New file: CTest validation and version-consistency tests. P1 — ${Python3_EXECUTABLE} is used without a guard; missing Python3 silently registers a broken test.
CMake/ITKModuleMacros.cmake	Adds six new SPDX keyword arguments to itk_module(); regex and elseif chain updated consistently; no issues found.
CMakeLists.txt	Adds ITK_GENERATE_SBOM option (default ON), wires up itk_generate_sbom() and ITKSBOMValidation includes after module enablement, and adds install rule for sbom.spdx.json; straightforward.
Modules/ThirdParty/PNG/itk-module.cmake	P2 — SPDX_LICENSE "Libpng-2.0" is not a recognised SPDX identifier for libpng 1.6.x; the correct identifier is libpng.
Utilities/Maintenance/VerifySPDXVersions.py	New helper: cross-checks SPDX_VERSION in itk-module.cmake against UpdateFromUpstream.sh tags for 8 modules; version normalisation patterns look correct; modules with SHA/master/custom tags are skipped.
Modules/ThirdParty/TIFF/itk-module.cmake	Adds SPDX metadata; "libtiff" is a valid SPDX identifier for the libtiff licence; no issues.
Modules/ThirdParty/Eigen3/itk-module.cmake	Adds SPDX metadata; MPL-2.0 OR Apache-2.0 licence expression is correct for Eigen 3.4.x; no issues.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[CMake configure] --> B{ITK_GENERATE_SBOM?}
    B -- OFF --> Z[skip]
    B -- ON --> C[include ITKSBOMGeneration]
    C --> D[itk_generate_sbom]
    D --> E[Loop over ITK_MODULES_ENABLED]
    E --> F{SPDX_LICENSE set?}
    F -- NO, ThirdParty --> G[AUTHOR_WARNING]
    F -- NO, non-ThirdParty --> H[skip]
    F -- YES --> I[Append package JSON
⚠️ no escape on copyright/download/license]
    D --> J{ITK_USE_FFTW?}
    J -- YES --> K[Append FFTW package]
    D --> L[get_property ITK_SBOM_EXTRA_PACKAGES
foreach unquoted ⚠️]
    L --> M[Append remote module packages]
    D --> N[Build relationships array]
    D --> O[Build hasExtractedLicensingInfo]
    D --> P[file WRITE sbom.spdx.json]
    P --> Q[include ITKSBOMValidation]
    Q --> R{BUILD_TESTING?}
    R -- NO --> Z
    R -- YES --> S{Python3_EXECUTABLE set?
⚠️ not checked}
    S --> T[add_test ITKSBOMValidation
Python JSON validation]
    S --> U[add_test ITKSBOMVersionConsistency
VerifySPDXVersions.py]

Loading

_{Reviews (1): Last reviewed commit: "ENH: Warn when ThirdParty modules lack S..." | Re-trigger Greptile}

[hjmjohnson]

Addressing the discussion points from @blowekamp and @dzenanz:

Distributed metadata (dzenanz's request): Done — commit 8692d2d moved all SPDX metadata into each Modules/ThirdParty/*/itk-module.cmake file via new itk_module() parameters (SPDX_LICENSE, SPDX_DOWNLOAD_LOCATION, SPDX_COPYRIGHT, SPDX_VERSION, SPDX_CUSTOM_LICENSE_TEXT/NAME). The centralized lookup table was removed from ITKSBOMGeneration.cmake.

VTK-style integration with module macro (blowekamp's suggestion): This is exactly what was implemented — the SPDX parameters are arguments to the existing itk_module() macro, consistent with VTK's approach. Remote modules can use the same parameters or the standalone itk_sbom_register_package() function.

FFTW licensing (blowekamp): FFTW is handled as a special case in ITKSBOMGeneration.cmake since it's not an ITK module — it's detected via ITK_USE_FFTWD/ITK_USE_FFTWF and tagged as GPL-2.0-or-later.

Greptile findings: All 5 inline findings (2 P1, 3 P2) have been reviewed and acknowledged — JSON escaping gaps, missing Python3 guard, IN LISTS foreach, PNG license ID, and hardcoded licenseListVersion. Will address in follow-up commits.

[hjmjohnson]

All 5 greptile findings fixed in 6d31421.

Fix summary

Finding	Fix
P1 Unescaped JSON fields	Added _itk_sbom_json_escape() calls for version, download, license, copyright in both itk_generate_sbom() and itk_sbom_register_package()
P1 Missing Python3 guard	Added if(NOT Python3_EXECUTABLE) early-return in ITKSBOMValidation.cmake
P2 foreach without IN LISTS	Switched both loops (extra_packages, extra_spdx_ids) to IN LISTS
P2 PNG license Libpng-2.0	Changed to Libpng (valid SPDX identifier)
P2 Hardcoded licenseListVersion	Exposed as ITK_SBOM_SPDX_LICENSE_LIST_VERSION cache variable (default 3.25)