1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CMake: Allow marking incomplete 3rd party deps for a target's SBOM

Browse Source 
For some targets, it might not be possible to specify all 3rd party
dependencies information for SBOM generation.

qtwebengine is one of these cases, where the 3rd party targets are
only known to GN, and not CMake.

Add a new SBOM_INCOMPLETE_3RD_PARTY_DEPENDENCIES option which can be
passed to qt_internal_add_module and friends.
This will include an informational message into the SBOM package
comment field that the dependency information might be incomplete.

Also add an SBOM_PACKAGE_COMMENT option, which can be used to provide
further information if necessary.

Task-number: QTBUG-122899
Change-Id: I5e893e1e205aae4a5591a457be88d5db54fa8fc3
Reviewed-by: Kai Köhne <kai.koehne@qt.io>
(cherry picked from commit 04ade5acc923ae04142004551ce8c7560517d192)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Alexandru Croitor 2024-07-17 17:25:12 +02:00 committed by Qt Cherry-pick Bot
parent 7dd7e5038c
commit 3f89719a4b
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
cmake/QtPublicSbomHelpers.cmake
View File

@ -284,6 +284,7 @@ macro(_qt_internal_get_sbom_add_target_common_options opt_args single_args multi
NO_DEFAULT_QT_COPYRIGHTS
NO_DEFAULT_QT_PACKAGE_VERSION
NO_DEFAULT_QT_SUPPLIER
SBOM_INCOMPLETE_3RD_PARTY_DEPENDENCIES
)
set(${single_args}
PACKAGE_VERSION
@ -294,6 +295,7 @@ macro(_qt_internal_get_sbom_add_target_common_options opt_args single_args multi
QT_LICENSE_ID
DOWNLOAD_LOCATION
ATTRIBUTION_ENTRY_INDEX
SBOM_PACKAGE_COMMENT
)
set(${multi_args}
COPYRIGHTS
@ -369,6 +371,16 @@ function(_qt_internal_sbom_add_target target)
set(package_comment "")
if(arg_SBOM_INCOMPLETE_3RD_PARTY_DEPENDENCIES)
string(APPEND package_comment
"Note: This package was marked as not listing all of its consumed 3rd party "
"dependencies.\nThus the licensing and copyright information might be incomplete.\n")
endif()
if(arg_SBOM_PACKAGE_COMMENT)
string(APPEND package_comment "${arg_SBOM_PACKAGE_COMMENT}\n")
endif()
# Record the target spdx id right now, so we can refer to it in later attribution targets
# if needed.
_qt_internal_sbom_record_target_spdx_id(${target}