DOC: Document SBOM and SPDX tooling in Utilities/Maintenance

hjmjohnson · hjmjohnson · commit d0b2185cff0d · 2026-04-18T08:51:04.000-05:00
README section listing the five SBOM-related Python scripts added in
this PR and the typical workflows (add headers, verify versions,
validate SBOM, baseline fingerprint).
diff --git a/Utilities/Maintenance/README.md b/Utilities/Maintenance/README.md
@@ -8,3 +8,57 @@ Note that the files in this directory are not tested automatically
 by the continuous integration (CI) of the ITK git repository. So a
 git commit that only modifies files in this directory should not
 trigger a run of the CI.
+
+## SBOM and SPDX Tooling
+
+The following scripts support ITK's SPDX-2.3 Software Bill of Materials
+workflow (see `CMake/ITKSBOMGeneration.cmake` and
+`CMake/ITKSBOMValidation.cmake`). All require Python 3.10 or later.
+
+| Script | Purpose |
+|--------|---------|
+| `AddSPDXHeaders.py` | Prepend SPDX-FileCopyrightText / SPDX-License-Identifier lines to ITK-owned source files. Idempotent; skips files that already carry an SPDX header. Used by the `check-spdx-headers` pre-commit hook with `--check --files <paths>` to enforce SPDX on new files. Handles shebangs, UTF-8 BOM, and CRLF line endings safely. |
+| `VerifySPDXVersions.py` | Cross-check that each ThirdParty module's `SPDX_VERSION` in `itk-module.cmake` matches the tag declared in its `UpdateFromUpstream.sh`. Skips modules tracking `master`, commit SHAs, or ITK-custom `for/*` tags. Invoked by CTest as `ITKSBOMVersionConsistency`. |
+| `ValidateSBOMLight.py` | In-tree lightweight validator for the generated SBOM. Checks required SPDX 2.3 fields, license-reference integrity, and SPDXID uniqueness. Always runs via CTest `ITKSBOMValidation`. |
+| `ValidateSBOMWithSpdxTools.py` | Full SPDX 2.3 schema validation via the optional `spdx-tools` pip package. Returns CTest skip code 77 when `spdx-tools` is not installed so the test is optional rather than a hard dependency. Invoked by CTest as `ITKSBOMSchemaValidation`. |
+| `ComputeSBOMFingerprint.py` | SHA-256 fingerprint over the sorted, canonicalized SBOM package metadata (name, version, license, PURL). Used for drift detection between branches and in CI via CTest `ITKSBOMFingerprint` when `ITK_SBOM_FINGERPRINT_BASELINE` is set. |
+
+### Typical workflows
+
+Add SPDX headers to new files:
+```
+python3 Utilities/Maintenance/AddSPDXHeaders.py <source-tree>
+```
+
+Verify SBOM matches upstream versions:
+```
+python3 Utilities/Maintenance/VerifySPDXVersions.py .
+```
+
+Validate a generated SBOM:
+```
+python3 Utilities/Maintenance/ValidateSBOMLight.py build/sbom.spdx.json
+# For full schema validation (pip install spdx-tools first):
+python3 Utilities/Maintenance/ValidateSBOMWithSpdxTools.py build/sbom.spdx.json
+```
+
+Track SBOM changes:
+```
+# Baseline the current state:
+python3 Utilities/Maintenance/ComputeSBOMFingerprint.py build/sbom.spdx.json \
+    --compare Utilities/Maintenance/sbom-fingerprint.baseline --update
+
+# Later, verify no drift:
+python3 Utilities/Maintenance/ComputeSBOMFingerprint.py build/sbom.spdx.json \
+    --compare Utilities/Maintenance/sbom-fingerprint.baseline
+```
+
+### Related files
+
+- `Utilities/KWStyle/ITKHeader.h` — canonical ITK file header template,
+  enforced by the KWStyle CTest. Starts with the two SPDX lines followed
+  by the Apache-2.0 notice block.
+- `REUSE.toml` (repo root) — REUSE 3.x blanket license annotations for
+  ITK-owned files that do not carry per-file SPDX headers.
+- `LICENSES/` (repo root) — canonical SPDX license texts required by
+  REUSE 3.x.
