CMake: Replace placeholders in CPE and PURL strings in SBOMs

Replace instances of $<VERSION> in CPE and PURL strings read from
qt_attribution.json files with the version of the package being
processed.

This avoids duplicating the version in qt_attribution.json files in 3
different fields Version, CPE, and PURL.

Pick-to: 6.8
Task-number: QTBUG-132181
Change-Id: I91af17c82dbb936739f4811bf86043e00ee49a78
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
(cherry picked from commit bc3bbb51b7b48d3c4a44a432441938863582242c)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

cmake/QtPublicSbomHelpers.cmake

@@ -855,7 +855,12 @@ function(_qt_internal_sbom_add_target target)
     endif()
 
     if(qa_cpes)
-        list(APPEND cpe_args CPE "${qa_cpes}")
+        _qt_internal_sbom_replace_qa_placeholders(
+            VALUES ${qa_cpes}
+            VERSION "${package_version}"
+            OUT_VAR qa_cpes_replaced
+        )
+        list(APPEND cpe_args CPE "${qa_cpes_replaced}")
     endif()
 
     # Add the qt-specific CPE if the target is a Qt entity type, or if it's a 3rd party entity type
@@ -898,7 +903,13 @@ function(_qt_internal_sbom_add_target target)
     endif()
 
     if(qa_purls)
-        list(APPEND purl_args PURL_3RDPARTY_UPSTREAM_VALUES "${qa_purls}")
+        _qt_internal_sbom_replace_qa_placeholders(
+            VALUES ${qa_purls}
+            VERSION "${package_version}"
+            OUT_VAR qa_purls_replaced
+        )
+
+        list(APPEND purl_args PURL_3RDPARTY_UPSTREAM_VALUES "${qa_purls_replaced}")
     endif()
     list(APPEND purl_args OUT_VAR purl_package_options)
 
@@ -4325,6 +4336,51 @@ function(_qt_internal_sbom_join_two_license_ids_with_op left_id op right_id out_
     set(${out_var} "${value}" PARENT_SCOPE)
 endfunction()
 
+# Replaces placeholders in CPE and PURL strings read from qt_attribution.json files.
+#
+# VALUES - list of CPE or PURL strings
+# OUT_VAR - variable to store the replaced values
+# VERSION - version to replace in the placeholders
+
+# Known placeholders:
+# $<VERSION> - Replaces occurrences of the placeholder with the value passed to the VERSION option.
+# $<VERSION_DASHED> - Replaces occurrences of the placeholder with the value passed to the VERSION
+# option, but with dots replaced by dashes.
+function(_qt_internal_sbom_replace_qa_placeholders)
+    set(opt_args "")
+    set(single_args
+        OUT_VAR
+        VERSION
+    )
+    set(multi_args
+        VALUES
+    )
+
+    cmake_parse_arguments(PARSE_ARGV 0 arg "${opt_args}" "${single_args}" "${multi_args}")
+    _qt_internal_validate_all_args_are_parsed(arg)
+
+    if(NOT arg_OUT_VAR)
+        message(FATAL_ERROR "OUT_VAR must be set")
+    endif()
+
+    set(result "")
+
+    if(arg_VERSION)
+        string(REPLACE "." "-" dashed_version "${arg_VERSION}")
+    endif()
+
+    foreach(value IN LISTS arg_VALUES)
+        if(arg_VERSION)
+            string(REPLACE "$<VERSION>" "${arg_VERSION}" value "${value}")
+            string(REPLACE "$<VERSION_DASHED>" "${dashed_version}" value "${value}")
+        endif()
+
+        list(APPEND result "${value}")
+    endforeach()
+
+    set(${arg_OUT_VAR} "${result}" PARENT_SCOPE)
+endfunction()
+
 # Returns the configure line used to configure the current repo or top-level build, by reading
 # the config.opt file that the configure script writes out.
 # Returns an empty string if configure was not called, but CMake was called directly.