From 29f32d8170f4e7ba6d8b659cf9452b347dd05fdf Mon Sep 17 00:00:00 2001
From: Alexandru Croitor <alexandru.croitor@qt.io>
Date: Mon, 2 Dec 2024 19:13:29 +0100
Subject: [PATCH] CMake: Allow adding custom SBOM relationships to targets and
 projects

Add a new SBOM_RELATIONSHIPS option to qt_internal_extend_target and
friends that allows adding custom relationships to the current target.

Add a new function qt_internal_sbom_add_project_relationship that
allows adding custom relationships to the current project SBOM
document.

A sample usage might be:

qt_internal_sbom_get_project_spdx_id(project_spdx_id)
qt_internal_sbom_get_target_spdx_id(Svg svg_spdx_id)

qt_internal_extend_target(Svg
    SBOM_RELATIONSHIPS
        "${svg_spdx_id} DESCENDANT_OF ${project_spdx_id}"
)

qt_internal_sbom_add_project_relationship(
    RELATIONSHIPS
        "${svg_spdx_id} CONTAINS NOASSERTION"
        "${svg_spdx_id} DESCRIBES NOASSERTION"
        "${project_spdx_id} DESCRIBES NOASSERTION"
)

Task-number: QTBUG-122899
Task-number: QTBUG-129901
Task-number: QTBUG-131377
Change-Id: Ie0119ca71b047c7515e1deaf84a5a67ea01b5274
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
(cherry picked from commit d079fdd76cf3f44181c6099b845ba9b41892740e)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
(cherry picked from commit 5a878ca693d349805a82802c7a11efabda9eb14f)
---
 cmake/QtPublicSbomGenerationHelpers.cmake | 48 +++++++++++++++++++++++
 cmake/QtPublicSbomHelpers.cmake           |  5 +++
 cmake/QtSbomHelpers.cmake                 |  4 ++
 3 files changed, 57 insertions(+)

diff --git a/cmake/QtPublicSbomGenerationHelpers.cmake b/cmake/QtPublicSbomGenerationHelpers.cmake
index 366f236909b..4fca7451590 100644
--- a/cmake/QtPublicSbomGenerationHelpers.cmake
+++ b/cmake/QtPublicSbomGenerationHelpers.cmake
@@ -250,6 +250,7 @@ Relationship: SPDXRef-DOCUMENT DESCRIBES ${project_spdx_id}
     set_property(GLOBAL APPEND PROPERTY _qt_sbom_cmake_include_files "${create_staging_file}")
 
     set_property(GLOBAL PROPERTY _qt_sbom_spdx_id_count 0)
+    set_property(GLOBAL PROPERTY _qt_sbom_relationship_counter 0)
 endfunction()
 
 # Handles the look up of Python, Python spdx dependencies and other various post-installation steps
@@ -1028,6 +1029,53 @@ Relationship: ${arg_RELATIONSHIP}
     set_property(GLOBAL APPEND PROPERTY _qt_sbom_cmake_include_files "${package_sbom}")
 endfunction()
 
+# Helper to add relationship entries to the current project SBOM document package.
+#
+# RELATIONSHIPS: A list of relationship strings to add to the current project relationships.
+#
+# Care must be taken to call the function right after project creation, before other targets are
+# created, otherwise the relationship strings might be added to the wrong package.
+# It doesn't seem to cause tooling to fail, but it's something to look out for.
+function(_qt_internal_sbom_generate_add_project_relationship)
+    if(NOT QT_GENERATE_SBOM)
+        return()
+    endif()
+
+    set(opt_args "")
+    set(single_args "")
+    set(multi_args
+        RELATIONSHIPS
+    )
+    cmake_parse_arguments(PARSE_ARGV 0 arg "${opt_args}" "${single_args}" "${multi_args}")
+    _qt_internal_validate_all_args_are_parsed(arg)
+
+    qt_internal_sbom_set_default_option_value_and_error_if_empty(RELATIONSHIPS "")
+
+    _qt_internal_get_staging_area_spdx_file_path(staging_area_spdx_file)
+
+    get_property(counter GLOBAL PROPERTY _qt_sbom_relationship_counter)
+    set(current_counter "${counter}")
+    math(EXPR counter "${counter} + 1")
+    set_property(GLOBAL PROPERTY _qt_sbom_relationship_counter "${counter}")
+
+    set(relationships "${arg_RELATIONSHIPS}")
+    list(REMOVE_DUPLICATES relationships)
+    list(JOIN relationships "\nRelationship: " relationships)
+
+    set(content "
+        # Custom relationship index: ${current_counter}
+        file(APPEND \"${staging_area_spdx_file}\"
+    \"
+Relationship: ${relationships}\")
+")
+
+    _qt_internal_get_current_project_sbom_dir(sbom_dir)
+    set(ext_ref_sbom "${sbom_dir}/relationship_${counter}.cmake")
+    file(GENERATE OUTPUT "${ext_ref_sbom}" CONTENT "${content}")
+
+    set_property(GLOBAL APPEND PROPERTY _qt_sbom_cmake_include_files "${ext_ref_sbom}")
+endfunction()
+
 # Adds a cmake include file to the sbom generation process at a specific step.
 # INCLUDE_PATH - path to the cmake file to include.
 # STEP - one of
diff --git a/cmake/QtPublicSbomHelpers.cmake b/cmake/QtPublicSbomHelpers.cmake
index 852e2c32434..d56e9e81e28 100644
--- a/cmake/QtPublicSbomHelpers.cmake
+++ b/cmake/QtPublicSbomHelpers.cmake
@@ -547,6 +547,7 @@ macro(_qt_internal_get_sbom_add_target_common_options opt_args single_args multi
         SBOM_DEPENDENCIES
         ATTRIBUTION_FILE_PATHS
         ATTRIBUTION_FILE_DIR_PATHS
+        SBOM_RELATIONSHIPS
     )
 
     _qt_internal_get_sbom_purl_add_target_options(
@@ -955,6 +956,10 @@ function(_qt_internal_sbom_add_target target)
     get_cmake_property(project_spdx_id _qt_internal_sbom_project_spdx_id)
     list(APPEND relationships "${project_spdx_id} CONTAINS ${package_spdx_id}")
 
+    if(arg_SBOM_RELATIONSHIPS)
+        list(APPEND relationships "${arg_SBOM_RELATIONSHIPS}")
+    endif()
+
     list(REMOVE_DUPLICATES relationships)
     list(JOIN relationships "\nRelationship: " relationships)
     list(APPEND project_package_options RELATIONSHIP "${relationships}")
diff --git a/cmake/QtSbomHelpers.cmake b/cmake/QtSbomHelpers.cmake
index 7734f6913f0..c88dc6f7286 100644
--- a/cmake/QtSbomHelpers.cmake
+++ b/cmake/QtSbomHelpers.cmake
@@ -42,3 +42,7 @@ endfunction()
 function(qt_internal_sbom_add_external_reference)
     _qt_internal_sbom_generate_add_external_reference(${ARGN})
 endfunction()
+
+function(qt_internal_sbom_add_project_relationship)
+    _qt_internal_sbom_generate_add_project_relationship(${ARGN})
+endfunction()