diff --git a/cmake/QtPublicSbomGenerationHelpers.cmake b/cmake/QtPublicSbomGenerationHelpers.cmake index 366f236909b..4fca7451590 100644 --- a/cmake/QtPublicSbomGenerationHelpers.cmake +++ b/cmake/QtPublicSbomGenerationHelpers.cmake @@ -250,6 +250,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES ${project_spdx_id} set_property(GLOBAL APPEND PROPERTY _qt_sbom_cmake_include_files "${create_staging_file}") set_property(GLOBAL PROPERTY _qt_sbom_spdx_id_count 0) + set_property(GLOBAL PROPERTY _qt_sbom_relationship_counter 0) endfunction() # Handles the look up of Python, Python spdx dependencies and other various post-installation steps @@ -1028,6 +1029,53 @@ Relationship: ${arg_RELATIONSHIP} set_property(GLOBAL APPEND PROPERTY _qt_sbom_cmake_include_files "${package_sbom}") endfunction() +# Helper to add relationship entries to the current project SBOM document package. +# +# RELATIONSHIPS: A list of relationship strings to add to the current project relationships. +# +# Care must be taken to call the function right after project creation, before other targets are +# created, otherwise the relationship strings might be added to the wrong package. +# It doesn't seem to cause tooling to fail, but it's something to look out for. +function(_qt_internal_sbom_generate_add_project_relationship) + if(NOT QT_GENERATE_SBOM) + return() + endif() + + set(opt_args "") + set(single_args "") + set(multi_args + RELATIONSHIPS + ) + cmake_parse_arguments(PARSE_ARGV 0 arg "${opt_args}" "${single_args}" "${multi_args}") + _qt_internal_validate_all_args_are_parsed(arg) + + qt_internal_sbom_set_default_option_value_and_error_if_empty(RELATIONSHIPS "") + + _qt_internal_get_staging_area_spdx_file_path(staging_area_spdx_file) + + get_property(counter GLOBAL PROPERTY _qt_sbom_relationship_counter) + set(current_counter "${counter}") + math(EXPR counter "${counter} + 1") + set_property(GLOBAL PROPERTY _qt_sbom_relationship_counter "${counter}") + + set(relationships "${arg_RELATIONSHIPS}") + list(REMOVE_DUPLICATES relationships) + list(JOIN relationships "\nRelationship: " relationships) + + set(content " + # Custom relationship index: ${current_counter} + file(APPEND \"${staging_area_spdx_file}\" + \" +Relationship: ${relationships}\") +") + + _qt_internal_get_current_project_sbom_dir(sbom_dir) + set(ext_ref_sbom "${sbom_dir}/relationship_${counter}.cmake") + file(GENERATE OUTPUT "${ext_ref_sbom}" CONTENT "${content}") + + set_property(GLOBAL APPEND PROPERTY _qt_sbom_cmake_include_files "${ext_ref_sbom}") +endfunction() + # Adds a cmake include file to the sbom generation process at a specific step. # INCLUDE_PATH - path to the cmake file to include. # STEP - one of diff --git a/cmake/QtPublicSbomHelpers.cmake b/cmake/QtPublicSbomHelpers.cmake index 852e2c32434..d56e9e81e28 100644 --- a/cmake/QtPublicSbomHelpers.cmake +++ b/cmake/QtPublicSbomHelpers.cmake @@ -547,6 +547,7 @@ macro(_qt_internal_get_sbom_add_target_common_options opt_args single_args multi SBOM_DEPENDENCIES ATTRIBUTION_FILE_PATHS ATTRIBUTION_FILE_DIR_PATHS + SBOM_RELATIONSHIPS ) _qt_internal_get_sbom_purl_add_target_options( @@ -955,6 +956,10 @@ function(_qt_internal_sbom_add_target target) get_cmake_property(project_spdx_id _qt_internal_sbom_project_spdx_id) list(APPEND relationships "${project_spdx_id} CONTAINS ${package_spdx_id}") + if(arg_SBOM_RELATIONSHIPS) + list(APPEND relationships "${arg_SBOM_RELATIONSHIPS}") + endif() + list(REMOVE_DUPLICATES relationships) list(JOIN relationships "\nRelationship: " relationships) list(APPEND project_package_options RELATIONSHIP "${relationships}") diff --git a/cmake/QtSbomHelpers.cmake b/cmake/QtSbomHelpers.cmake index 7734f6913f0..c88dc6f7286 100644 --- a/cmake/QtSbomHelpers.cmake +++ b/cmake/QtSbomHelpers.cmake @@ -42,3 +42,7 @@ endfunction() function(qt_internal_sbom_add_external_reference) _qt_internal_sbom_generate_add_external_reference(${ARGN}) endfunction() + +function(qt_internal_sbom_add_project_relationship) + _qt_internal_sbom_generate_add_project_relationship(${ARGN}) +endfunction()