From 52a64aca2099a1efc5a8819c9e60a57aefde4370 Mon Sep 17 00:00:00 2001 From: Alexandru Croitor Date: Mon, 17 Feb 2025 15:15:21 +0100 Subject: [PATCH] CMake: Add project supplier to generated source SBOM Make sure to specify the creator organization when calling reuse to generate the source SBOM. This replaces 'Creator: Organization: Anonymous' with 'Creator: Organization: TheQtCompany (https://qt.io)' Pick-to: 6.8 6.9 Fixes: QTBUG-133796 Change-Id: I3532d9f35ca3eacd9c20bee7db88f35c76db9672 Reviewed-by: Lucie Gerard --- cmake/QtPublicSbomOpsHelpers.cmake | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/cmake/QtPublicSbomOpsHelpers.cmake b/cmake/QtPublicSbomOpsHelpers.cmake index 29511a73aba..a83b1f1c828 100644 --- a/cmake/QtPublicSbomOpsHelpers.cmake +++ b/cmake/QtPublicSbomOpsHelpers.cmake @@ -757,11 +757,33 @@ function(_qt_internal_sbom_generate_reuse_source_sbom) endif() ") + set(extra_reuse_args "") + + get_property(project_supplier GLOBAL PROPERTY _qt_sbom_project_supplier) + if(project_supplier) + get_property(project_supplier_url GLOBAL PROPERTY _qt_sbom_project_supplier_url) + + # Add the supplier url if available. Add it in parenthesis to stop reuse from adding its + # own empty parenthesis. + if(project_supplier_url) + set(project_supplier "${project_supplier} (${project_supplier_url})") + endif() + + # Unfortunately there's no way to silence the addition of the 'Creator: Person' field, + # even though 'Creator: Organization' is supplied. + list(APPEND extra_reuse_args --creator-organization "${project_supplier}") + endif() + set(content " message(STATUS \"Generating source SBOM using reuse tool: ${source_sbom_path}\") + set(extra_reuse_args \"${extra_reuse_args}\") execute_process( - COMMAND ${QT_SBOM_PROGRAM_REUSE} --root \"${PROJECT_SOURCE_DIR}\" spdx - -o ${source_sbom_path} + COMMAND + ${QT_SBOM_PROGRAM_REUSE} + --root \"${PROJECT_SOURCE_DIR}\" + spdx + -o ${source_sbom_path} + \${extra_reuse_args} RESULT_VARIABLE res ) ${handle_error}