From a5d0410f2d5f48feb657f1eb29bd218eddc4e583 Mon Sep 17 00:00:00 2001
From: jboursier <jboursier@malwarebytes.com>
Date: Tue, 11 Oct 2022 13:08:22 +0200
Subject: [PATCH] Support `sbom` generation at release time

---
 Makefile  | 2 ++
 README.md | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/Makefile b/Makefile
index f1d589d..d9f04d3 100644
--- a/Makefile
+++ b/Makefile
@@ -5,6 +5,7 @@ ZIP = zip
 PIP3 = python3 -m pip
 PYTHON3 = python3
 POETRY = poetry
+SYFT = syft
 
 
 clean: ## clean existing builds
@@ -15,6 +16,7 @@ clean: ## clean existing builds
 
 release: ## Build a wheel
 	$(POETRY) build
+	$(SYFT) packages file:poetry.lock -o spdx-json > dist/sbom.json
 	cd dist && sha512sum * > ../checksums.sha512
 	gpg --detach-sign --armor checksums.sha512
 
diff --git a/README.md b/README.md
index 0d8ada7..a76239c 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,8 @@ make release
 
 ### Publish a new version
 
+**Requires `syft` to be installed to generate the sbom.**
+
 1. Bump the version number as described above
 2. `make deps` to update the dependencies
 3. `make release` to build the packages