ENH: Add version info, fix JSON escaping, add SBOM validation test

Address review findings from critical analysis:

- Add SPDX_VERSION parameter to itk_module() macro for declaring
  vendored dependency versions. Add versions for 9 modules where
  the version is extractable from headers: Eigen3 (3.4.90),
  PNG (1.6.54), ZLIB (2.2.5), TIFF (4.7.0), HDF5 (1.14.5),
  JPEG (9f), OpenJPEG (2.5.4), MINC (2.4.06), NIFTI (3.0.0).

- Fix JSON escaping bug in hasExtractedLicensingInfo: custom
  license names and texts were written raw without escaping
  quotes, backslashes, or newlines.

- Fix Eigen3 SPDX license expression from "MPL-2.0" to
  "MPL-2.0 OR Apache-2.0" (Eigen is dual-licensed).

- Update NIFTI download URL from nifti.nimh.nih.gov to the
  current GitHub repository.

- Add ITKSBOMValidation.cmake CTest test that validates the
  generated sbom.spdx.json: checks JSON syntax, required SPDX
  2.3 fields, package uniqueness, and extracted license entries.

Author: hjmjohnson

CMake/ITKModuleMacros.cmake

@@ -70,6 +70,7 @@ macro(itk_module _name)
   set(ITK_MODULE_${itk-module}_EXCLUDE_FROM_DEFAULT 0)
   set(ITK_MODULE_${itk-module}_ENABLE_SHARED 0)
   set(ITK_MODULE_${itk-module}_SPDX_LICENSE "")
+  set(ITK_MODULE_${itk-module}_SPDX_VERSION "")
   set(ITK_MODULE_${itk-module}_SPDX_DOWNLOAD_LOCATION "")
   set(ITK_MODULE_${itk-module}_SPDX_COPYRIGHT "")
   set(ITK_MODULE_${itk-module}_SPDX_CUSTOM_LICENSE_TEXT "")
@@ -79,7 +80,7 @@ macro(itk_module _name)
     if(
       "${arg}"
         MATCHES
-        "^((|COMPILE_|PRIVATE_|TEST_|)DEPENDS|DESCRIPTION|DEFAULT|FACTORY_NAMES|SPDX_LICENSE|SPDX_DOWNLOAD_LOCATION|SPDX_COPYRIGHT|SPDX_CUSTOM_LICENSE_TEXT|SPDX_CUSTOM_LICENSE_NAME)$"
+        "^((|COMPILE_|PRIVATE_|TEST_|)DEPENDS|DESCRIPTION|DEFAULT|FACTORY_NAMES|SPDX_LICENSE|SPDX_VERSION|SPDX_DOWNLOAD_LOCATION|SPDX_COPYRIGHT|SPDX_CUSTOM_LICENSE_TEXT|SPDX_CUSTOM_LICENSE_NAME)$"
     )
       set(_doing "${arg}")
     elseif("${arg}" MATCHES "^EXCLUDE_FROM_DEFAULT$")
@@ -112,6 +113,9 @@ macro(itk_module _name)
     elseif("${_doing}" MATCHES "^SPDX_LICENSE$")
       set(_doing "")
       set(ITK_MODULE_${itk-module}_SPDX_LICENSE "${arg}")
+    elseif("${_doing}" MATCHES "^SPDX_VERSION$")
+      set(_doing "")
+      set(ITK_MODULE_${itk-module}_SPDX_VERSION "${arg}")
     elseif("${_doing}" MATCHES "^SPDX_DOWNLOAD_LOCATION$")
       set(_doing "")
       set(ITK_MODULE_${itk-module}_SPDX_DOWNLOAD_LOCATION "${arg}")

CMake/ITKSBOMGeneration.cmake

@@ -8,6 +8,7 @@
   Per-module SPDX metadata is declared in each module's itk-module.cmake via
   the itk_module() macro arguments:
     SPDX_LICENSE             - SPDX license identifier (e.g. "Apache-2.0")
+    SPDX_VERSION             - Version of the vendored dependency
     SPDX_DOWNLOAD_LOCATION   - URL for the upstream source
     SPDX_COPYRIGHT           - Copyright text
     SPDX_CUSTOM_LICENSE_TEXT  - Extracted text for custom LicenseRef-* IDs
@@ -38,16 +39,34 @@ endif()
 #     COPYRIGHT "Copyright Example Inc."
 #   )
 #
-define_property(GLOBAL PROPERTY ITK_SBOM_EXTRA_PACKAGES
-  BRIEF_DOCS "Additional SBOM package entries registered by remote modules."
-  FULL_DOCS "A list of JSON-formatted package entries for the SBOM."
+define_property(
+  GLOBAL
+  PROPERTY ITK_SBOM_EXTRA_PACKAGES
+  BRIEF_DOCS
+    "Additional SBOM package entries registered by remote modules."
+  FULL_DOCS
+    "A list of JSON-formatted package entries for the SBOM."
 )
 
 function(itk_sbom_register_package)
   set(_options "")
-  set(_one_value NAME VERSION SPDX_LICENSE DOWNLOAD_LOCATION SUPPLIER COPYRIGHT)
+  set(
+    _one_value
+    NAME
+    VERSION
+    SPDX_LICENSE
+    DOWNLOAD_LOCATION
+    SUPPLIER
+    COPYRIGHT
+  )
   set(_multi_value "")
-  cmake_parse_arguments(_pkg "${_options}" "${_one_value}" "${_multi_value}" ${ARGN})
+  cmake_parse_arguments(
+    _pkg
+    "${_options}"
+    "${_one_value}"
+    "${_multi_value}"
+    ${ARGN}
+  )
 
   if(NOT _pkg_NAME)
     message(FATAL_ERROR "itk_sbom_register_package: NAME is required.")
@@ -76,18 +95,38 @@ function(itk_sbom_register_package)
   string(APPEND _entry "      \"SPDXID\": \"SPDXRef-${_spdx_id}\",\n")
   string(APPEND _entry "      \"name\": \"${_pkg_NAME}\",\n")
   string(APPEND _entry "      \"versionInfo\": \"${_pkg_VERSION}\",\n")
-  string(APPEND _entry "      \"downloadLocation\": \"${_pkg_DOWNLOAD_LOCATION}\",\n")
+  string(
+    APPEND
+    _entry
+    "      \"downloadLocation\": \"${_pkg_DOWNLOAD_LOCATION}\",\n"
+  )
   string(APPEND _entry "      \"supplier\": \"${_pkg_SUPPLIER}\",\n")
-  string(APPEND _entry "      \"licenseConcluded\": \"${_pkg_SPDX_LICENSE}\",\n")
+  string(
+    APPEND
+    _entry
+    "      \"licenseConcluded\": \"${_pkg_SPDX_LICENSE}\",\n"
+  )
   string(APPEND _entry "      \"licenseDeclared\": \"${_pkg_SPDX_LICENSE}\",\n")
   string(APPEND _entry "      \"copyrightText\": \"${_pkg_COPYRIGHT}\",\n")
   string(APPEND _entry "      \"filesAnalyzed\": false\n")
   string(APPEND _entry "    }")
 
-  set_property(GLOBAL APPEND PROPERTY ITK_SBOM_EXTRA_PACKAGES "${_entry}")
+  set_property(
+    GLOBAL
+    APPEND
+    PROPERTY
+      ITK_SBOM_EXTRA_PACKAGES
+        "${_entry}"
+  )
 
   # Also store the SPDX ID for relationship generation
-  set_property(GLOBAL APPEND PROPERTY ITK_SBOM_EXTRA_SPDX_IDS "SPDXRef-${_spdx_id}")
+  set_property(
+    GLOBAL
+    APPEND
+    PROPERTY
+      ITK_SBOM_EXTRA_SPDX_IDS
+        "SPDXRef-${_spdx_id}"
+  )
 endfunction()
 
 #-----------------------------------------------------------------------------
@@ -114,8 +153,10 @@ function(itk_generate_sbom)
   string(TIMESTAMP _sbom_timestamp "%Y-%m-%dT%H:%M:%SZ" UTC)
   string(TIMESTAMP _sbom_uid "%Y%m%d%H%M%S" UTC)
 
-  set(_sbom_namespace
-    "https://spdx.org/spdxdocs/ITK-${ITK_VERSION}-${_sbom_uid}")
+  set(
+    _sbom_namespace
+    "https://spdx.org/spdxdocs/ITK-${ITK_VERSION}-${_sbom_uid}"
+  )
 
   # --- Begin JSON document ---
   set(_json "")
@@ -144,11 +185,19 @@ function(itk_generate_sbom)
   string(APPEND _json "      \"SPDXID\": \"SPDXRef-ITK\",\n")
   string(APPEND _json "      \"name\": \"ITK\",\n")
   string(APPEND _json "      \"versionInfo\": \"${ITK_VERSION}\",\n")
-  string(APPEND _json "      \"downloadLocation\": \"https://github.com/InsightSoftwareConsortium/ITK\",\n")
+  string(
+    APPEND
+    _json
+    "      \"downloadLocation\": \"https://github.com/InsightSoftwareConsortium/ITK\",\n"
+  )
   string(APPEND _json "      \"supplier\": \"Organization: NumFOCUS\",\n")
   string(APPEND _json "      \"licenseConcluded\": \"Apache-2.0\",\n")
   string(APPEND _json "      \"licenseDeclared\": \"Apache-2.0\",\n")
-  string(APPEND _json "      \"copyrightText\": \"Copyright 1999-2019 Insight Software Consortium, Copyright 2020-present NumFOCUS\",\n")
+  string(
+    APPEND
+    _json
+    "      \"copyrightText\": \"Copyright 1999-2019 Insight Software Consortium, Copyright 2020-present NumFOCUS\",\n"
+  )
   string(APPEND _json "      \"filesAnalyzed\": false\n")
   string(APPEND _json "    }")
 
@@ -169,8 +218,12 @@ function(itk_generate_sbom)
       continue()
     endif()
 
+    set(_pkg_version "${ITK_MODULE_${_mod}_SPDX_VERSION}")
     set(_pkg_download "${ITK_MODULE_${_mod}_SPDX_DOWNLOAD_LOCATION}")
     set(_pkg_copyright "${ITK_MODULE_${_mod}_SPDX_COPYRIGHT}")
+    if(NOT _pkg_version)
+      set(_pkg_version "NOASSERTION")
+    endif()
     if(NOT _pkg_download)
       set(_pkg_download "NOASSERTION")
     endif()
@@ -201,7 +254,7 @@ function(itk_generate_sbom)
     string(APPEND _json "    {\n")
     string(APPEND _json "      \"SPDXID\": \"SPDXRef-${_spdx_id}\",\n")
     string(APPEND _json "      \"name\": \"${_mod}\",\n")
-    string(APPEND _json "      \"versionInfo\": \"NOASSERTION\",\n")
+    string(APPEND _json "      \"versionInfo\": \"${_pkg_version}\",\n")
     string(APPEND _json "      \"downloadLocation\": \"${_pkg_download}\",\n")
     string(APPEND _json "      \"supplier\": \"NOASSERTION\",\n")
     string(APPEND _json "      \"licenseConcluded\": \"${_pkg_license}\",\n")
@@ -229,12 +282,24 @@ function(itk_generate_sbom)
     string(APPEND _json "      \"SPDXID\": \"SPDXRef-FFTW\",\n")
     string(APPEND _json "      \"name\": \"FFTW\",\n")
     string(APPEND _json "      \"versionInfo\": \"${_fftw_version}\",\n")
-    string(APPEND _json "      \"downloadLocation\": \"https://www.fftw.org\",\n")
+    string(
+      APPEND
+      _json
+      "      \"downloadLocation\": \"https://www.fftw.org\",\n"
+    )
     string(APPEND _json "      \"supplier\": \"Organization: MIT\",\n")
     string(APPEND _json "      \"licenseConcluded\": \"${_fftw_license}\",\n")
     string(APPEND _json "      \"licenseDeclared\": \"${_fftw_license}\",\n")
-    string(APPEND _json "      \"copyrightText\": \"Copyright Matteo Frigo and Massachusetts Institute of Technology\",\n")
-    string(APPEND _json "      \"description\": \"Fastest Fourier Transform in the West\",\n")
+    string(
+      APPEND
+      _json
+      "      \"copyrightText\": \"Copyright Matteo Frigo and Massachusetts Institute of Technology\",\n"
+    )
+    string(
+      APPEND
+      _json
+      "      \"description\": \"Fastest Fourier Transform in the West\",\n"
+    )
     string(APPEND _json "      \"filesAnalyzed\": false\n")
     string(APPEND _json "    }")
     list(APPEND _thirdparty_spdx_ids "SPDXRef-FFTW")
@@ -296,10 +361,12 @@ function(itk_generate_sbom)
         string(APPEND _json ",\n")
       endif()
       set(_first_custom FALSE)
+      _itk_sbom_json_escape("${_lic_name}" _lic_name_escaped)
+      _itk_sbom_json_escape("${_lic_text}" _lic_text_escaped)
       string(APPEND _json "    {\n")
       string(APPEND _json "      \"licenseId\": \"${_lic_id}\",\n")
-      string(APPEND _json "      \"name\": \"${_lic_name}\",\n")
-      string(APPEND _json "      \"extractedText\": \"${_lic_text}\"\n")
+      string(APPEND _json "      \"name\": \"${_lic_name_escaped}\",\n")
+      string(APPEND _json "      \"extractedText\": \"${_lic_text_escaped}\"\n")
       string(APPEND _json "    }")
     endforeach()
     string(APPEND _json "\n  ]")

CMake/ITKSBOMValidation.cmake

@@ -0,0 +1,90 @@
+#[=============================================================================[
+  ITKSBOMValidation.cmake - Validate the generated SPDX SBOM document
+
+  Adds a CTest test that validates the SBOM JSON file produced by
+  ITKSBOMGeneration.cmake. Checks:
+    1. Valid JSON syntax
+    2. Required SPDX 2.3 top-level fields present
+    3. At least one package (ITK itself)
+    4. DESCRIBES relationship present
+#]=============================================================================]
+
+if(NOT ITK_GENERATE_SBOM OR NOT BUILD_TESTING)
+  return()
+endif()
+
+set(_sbom_file "${CMAKE_BINARY_DIR}/sbom.spdx.json")
+if(NOT EXISTS "${_sbom_file}")
+  return()
+endif()
+
+add_test(
+  NAME ITKSBOMValidation
+  COMMAND
+    ${Python3_EXECUTABLE} -c
+    "
+import json, sys
+
+with open(sys.argv[1]) as f:
+    doc = json.load(f)
+
+errors = []
+
+# Required SPDX 2.3 fields
+for field in ['spdxVersion', 'dataLicense', 'SPDXID', 'name',
+              'documentNamespace', 'creationInfo', 'packages',
+              'relationships']:
+    if field not in doc:
+        errors.append(f'Missing required field: {field}')
+
+if doc.get('spdxVersion') != 'SPDX-2.3':
+    errors.append(f'Expected spdxVersion SPDX-2.3, got {doc.get(\"spdxVersion\")}')
+
+if doc.get('dataLicense') != 'CC0-1.0':
+    errors.append(f'Expected dataLicense CC0-1.0, got {doc.get(\"dataLicense\")}')
+
+# Must have at least ITK package
+packages = doc.get('packages', [])
+if len(packages) < 1:
+    errors.append('No packages found')
+
+itk_pkg = next((p for p in packages if p.get('name') == 'ITK'), None)
+if itk_pkg is None:
+    errors.append('ITK package not found')
+
+# Check DESCRIBES relationship exists
+rels = doc.get('relationships', [])
+describes = [r for r in rels if r.get('relationshipType') == 'DESCRIBES']
+if not describes:
+    errors.append('No DESCRIBES relationship found')
+
+# Validate package SPDX IDs are unique
+spdx_ids = [p.get('SPDXID') for p in packages]
+dupes = set(x for x in spdx_ids if spdx_ids.count(x) > 1)
+if dupes:
+    errors.append(f'Duplicate SPDX IDs: {dupes}')
+
+# Check hasExtractedLicensingInfo references are valid
+extracted = doc.get('hasExtractedLicensingInfo', [])
+for entry in extracted:
+    if 'licenseId' not in entry:
+        errors.append(f'Extracted license missing licenseId')
+    if 'extractedText' not in entry:
+        errors.append(f'Extracted license missing extractedText')
+
+if errors:
+    for e in errors:
+        print(f'SBOM ERROR: {e}', file=sys.stderr)
+    sys.exit(1)
+
+print(f'SBOM valid: {len(packages)} packages, {len(rels)} relationships, '
+      f'{len(extracted)} extracted licenses')
+"
+    "${_sbom_file}"
+)
+set_tests_properties(
+  ITKSBOMValidation
+  PROPERTIES
+    LABELS
+      "SBOM"
+)

CMakeLists.txt

@@ -249,7 +249,11 @@ mark_as_advanced(ITK_USE_SYSTEM_LIBRARIES)
 
 #-----------------------------------------------------------------------------
 # Generate a Software Bill of Materials (SBOM) in SPDX 2.3 JSON format.
-option(ITK_GENERATE_SBOM "Generate SPDX Software Bill of Materials (SBOM) at configure time" ON)
+option(
+  ITK_GENERATE_SBOM
+  "Generate SPDX Software Bill of Materials (SBOM) at configure time"
+  ON
+)
 
 #-----------------------------------------------------------------------------
 # Enable the download and use of BrainWeb datasets.
@@ -753,6 +757,7 @@ include(ITKSBOMGeneration)
 if(ITK_GENERATE_SBOM)
   itk_generate_sbom()
 endif()
+include(ITKSBOMValidation)
 
 # Setup clang-tidy for code best-practices enforcement for C++11
 include(ITKClangTidySetup)

Modules/ThirdParty/Eigen3/itk-module.cmake

@@ -9,7 +9,12 @@ itk_module(
   DEPENDS
   DESCRIPTION "${DOCUMENTATION}"
   EXCLUDE_FROM_DEFAULT
-  SPDX_LICENSE "MPL-2.0"
-  SPDX_DOWNLOAD_LOCATION "https://eigen.tuxfamily.org"
-  SPDX_COPYRIGHT "Copyright Eigen contributors"
+  SPDX_LICENSE
+  "MPL-2.0 OR Apache-2.0"
+  SPDX_VERSION
+  "3.4.90"
+  SPDX_DOWNLOAD_LOCATION
+  "https://gitlab.com/libeigen/eigen"
+  SPDX_COPYRIGHT
+  "Copyright Eigen contributors"
 )

Modules/ThirdParty/HDF5/itk-module.cmake

@@ -7,9 +7,15 @@ HDF5 is a data model, library, and file format for storing and managing data."
 
 itk_module(
   ITKHDF5
-  DEPENDS ITKZLIB
+  DEPENDS
+    ITKZLIB
   DESCRIPTION "${DOCUMENTATION}"
-  SPDX_LICENSE "BSD-3-Clause"
-  SPDX_DOWNLOAD_LOCATION "https://www.hdfgroup.org/solutions/hdf5"
-  SPDX_COPYRIGHT "Copyright The HDF Group"
+  SPDX_LICENSE
+  "BSD-3-Clause"
+  SPDX_VERSION
+  "1.14.5"
+  SPDX_DOWNLOAD_LOCATION
+  "https://www.hdfgroup.org/solutions/hdf5"
+  SPDX_COPYRIGHT
+  "Copyright The HDF Group"
 )

Modules/ThirdParty/JPEG/itk-module.cmake

@@ -8,7 +8,12 @@ library published by the
 itk_module(
   ITKJPEG
   DESCRIPTION "${DOCUMENTATION}"
-  SPDX_LICENSE "IJG AND BSD-3-Clause AND Zlib"
-  SPDX_DOWNLOAD_LOCATION "https://libjpeg-turbo.org"
-  SPDX_COPYRIGHT "Copyright libjpeg-turbo contributors"
+  SPDX_LICENSE
+  "IJG AND BSD-3-Clause AND Zlib"
+  SPDX_VERSION
+  "9f"
+  SPDX_DOWNLOAD_LOCATION
+  "https://libjpeg-turbo.org"
+  SPDX_COPYRIGHT
+  "Copyright libjpeg-turbo contributors"
 )