From 1bd96b5f4055b629dbeb3a505374acafd020ba69 Mon Sep 17 00:00:00 2001
From: Alexandru Croitor <alexandru.croitor@qt.io>
Date: Tue, 6 Aug 2024 18:50:08 +0200
Subject: [PATCH] CMake: Read CPEs from attribution files when generating SBOMs

Also split up the CPE handling to allow for more values to be set,
rather than preferring the first one that is encountered.

Task-number: QTBUG-122899
Change-Id: I3209cb5d66f5483c7294b40816431d9df75e00e5
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
(cherry picked from commit 47fd38be4bce0958fcfce8080d1580c4e3c2a15b)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 cmake/QtPublicSbomHelpers.cmake | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/cmake/QtPublicSbomHelpers.cmake b/cmake/QtPublicSbomHelpers.cmake
index a0a84085c0d..779aedd201c 100644
--- a/cmake/QtPublicSbomHelpers.cmake
+++ b/cmake/QtPublicSbomHelpers.cmake
@@ -673,13 +673,18 @@ function(_qt_internal_sbom_add_target target)
 
     if(arg_CPE)
         list(APPEND project_package_options CPE "${arg_CPE}")
-    elseif(arg_CPE_VENDOR AND arg_CPE_PRODUCT)
+    endif()
+    if(arg_CPE_VENDOR AND arg_CPE_PRODUCT)
         _qt_internal_sbom_compute_security_cpe(custom_cpe
             VENDOR "${arg_CPE_VENDOR}"
             PRODUCT "${arg_CPE_PRODUCT}"
             VERSION "${package_version}")
         list(APPEND project_package_options CPE "${custom_cpe}")
-    elseif(is_qt_entity_type)
+    endif()
+    if(qa_cpe)
+        list(APPEND project_package_options CPE "${qa_cpe}")
+    endif()
+    if(is_qt_entity_type)
         _qt_internal_sbom_compute_security_cpe_for_qt(cpe_list)
         list(APPEND project_package_options CPE "${cpe_list}")
     endif()
@@ -2246,6 +2251,7 @@ function(_qt_internal_sbom_read_qt_attribution out_prefix)
         _qt_internal_sbom_get_attribution_key(Copyright copyrights "${out_prefix}")
         _qt_internal_sbom_get_attribution_key(CopyrightFile copyright_file "${out_prefix}")
         _qt_internal_sbom_get_attribution_key(UpstreamPURL upstream_purl "${out_prefix}")
+        _qt_internal_sbom_get_attribution_key(CPE cpe "${out_prefix}")
 
         # In some attribution files (like harfbuzz) Copyright contains an array of copyrights rather
         # than a single string. Extract all of them.