1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

coin: CMake: Add instructions to generate JSON and verify the SBOM

Browse Source 
If the VerifySBOM feature is enabled, pass additional options to
CMake configuration:
- runs syntactic verification of the SBOM
- so it converts the generated SBOM files into JSON files (and
  installs them). This does additional useful validations.
- runs the NTIA SBOM verifier
- shows some of the content in the SBOM in a more user-friendly table
  format via the sbom2doc python app
- runs sbomaudit to show things like packages without a license
  expression, doesn't exit with errors if issues are found.

To ensure the tables are wide enough in the log on the CI, we set
an explicit value for COLUMNS env var, which is used by sbom2doc
to determine the table size.

To ensure the sbom2doc and sbomaudit python applications are found,
we supply additional locations where they can be found, via the
env vars that coin python provisioning sets.

We also make sure to pass the found application paths when executing
the python apps, because they might not be in PATH by default.

Task-number: QTBUG-122899
Change-Id: I0baef8b9c949209b15ab304e1e840b4dcdf5a61c
Reviewed-by: Toni Saario <toni.saario@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
(cherry picked from commit 83ff34d1c626759224a95f39bca8337a8390ed52)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Alexandru Croitor 2024-06-10 15:31:28 +02:00 committed by Qt Cherry-pick Bot
parent a9d3a0b47c
commit 7e831c3b66
2 changed files with 84 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
cmake/QtPublicSbomGenerationHelpers.cmake
View File

@ -953,8 +953,17 @@ macro(_qt_internal_sbom_find_python)
endif()
if(NOT Python3_EXECUTABLE)
if(QT_SBOM_PYTHON_INTERP)
set(__qt_sbom_python3_root_dir "${Python3_ROOT_DIR}")
set(Python3_ROOT_DIR ${QT_SBOM_PYTHON_INTERP})
endif()
# NTIA-compliance checker requires Python 3.9 or later.
find_package(Python3 3.9 REQUIRED COMPONENTS Interpreter)
if(QT_SBOM_PYTHON_INTERP)
set(Python3_ROOT_DIR ${__qt_sbom_python3_root_dir})
endif()
endif()
if(QT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK)
@ -1008,8 +1017,17 @@ function(_qt_internal_sbom_find_python_dependency_program)
string(TOUPPER "${program_name}" upper_name)
set(cache_var "QT_SBOM_PROGRAM_${upper_name}")
set(hints "")
# The path to python installed apps is different on Windows compared to UNIX, so we use
# a different path than where the python interpreter might be located.
if(QT_SBOM_PYTHON_APPS_PATH)
list(APPEND hints ${QT_SBOM_PYTHON_APPS_PATH})
endif()
find_program(${cache_var}
NAMES ${program_name}
HINTS ${hints}
)
if(NOT ${cache_var})
@ -1086,12 +1104,29 @@ endfunction()
# Helper to show the main sbom document info in the form of a CLI table.
function(_qt_internal_sbom_show_table)
set(extra_code_begin "")
if(DEFINED ENV{COIN_UNIQUE_JOB_ID})
# The output of the process dynamically adjusts the width of the shown table based on the
# console width. In the CI, the width is very short for some reason, and thus the output
# is truncated in the CI log. Explicitly set a bigger width to avoid this.
set(extra_code_begin "
set(backup_env_columns \$ENV{COLUMNS})
set(ENV{COLUMNS} 150)
")
set(extra_code_end "
set(ENV{COLUMNS} \${backup_env_columns})
")
endif()
set(content "
message(STATUS \"Showing main SBOM document info: \${QT_SBOM_OUTPUT_PATH}\")
${extra_code_begin}
execute_process(
COMMAND sbom2doc -i \"\${QT_SBOM_OUTPUT_PATH}\"
COMMAND ${QT_SBOM_PROGRAM_SBOM2DOC} -i \"\${QT_SBOM_OUTPUT_PATH}\"
RESULT_VARIABLE res
)
${extra_code_end}
if(NOT res EQUAL 0)
message(FATAL_ERROR \"Showing SBOM document failed: \${res}\")
endif()
@ -1124,7 +1159,7 @@ function(_qt_internal_sbom_audit)
set(content "
message(STATUS \"Auditing SBOM: \${QT_SBOM_OUTPUT_PATH}\")
execute_process(
COMMAND sbomaudit -i \"\${QT_SBOM_OUTPUT_PATH}\"
COMMAND ${QT_SBOM_PROGRAM_SBOMAUDIT} -i \"\${QT_SBOM_OUTPUT_PATH}\"
--disable-license-check --cpecheck --offline
RESULT_VARIABLE res
)

47
coin/instructions/prepare_building_env.yaml
View File

@ -493,6 +493,53 @@ instructions:
variableName: COMMON_NON_QTBASE_TARGET_CMAKE_ARGS
variableValue: " -DQT_GENERATE_SBOM=ON"
# SBOM Python apps path. On Windows python-installed apps are
# in the same directory where pip is, aka Scripts sub-directory.
- type: EnvironmentVariable
variableName: SBOM_PYTHON_APPS_PATH
variableValue: "{{.Env.PIP3_PATH}}"
enable_if:
condition: property
property: host.os
equals_value: Windows
- type: EnvironmentVariable
variableName: SBOM_PYTHON_APPS_PATH
variableValue: "{{.Env.PYTHON3_PATH}}"
disable_if:
condition: property
property: host.os
equals_value: Windows
# SBOM verification and auditing
- type: Group
enable_if:
condition: property
property: features
contains_value: VerifySBOM
instructions:
- type: EnvironmentVariable
variableName: SBOM_COMMON_ARGS
variableValue: >-
-DQT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK=ON
-DQT_INTERNAL_SBOM_DEFAULT_CHECKS=ON
-DQT_INTERNAL_SBOM_AUDIT=ON
-DQT_INTERNAL_SBOM_AUDIT_NO_ERROR=ON
-DQT_SBOM_PYTHON_INTERP={{.Env.PYTHON3_PATH}}
-DQT_SBOM_PYTHON_APPS_PATH={{.Env.SBOM_PYTHON_APPS_PATH}}
- type: AppendToEnvironmentVariable
variableName: COMMON_CMAKE_ARGS
variableValue: " {{.Env.SBOM_COMMON_ARGS}} "
- type: AppendToEnvironmentVariable
variableName: COMMON_NON_QTBASE_CMAKE_ARGS
variableValue: " {{.Env.SBOM_COMMON_ARGS}} "
- type: AppendToEnvironmentVariable
variableName: COMMON_TARGET_CMAKE_ARGS
variableValue: " {{.Env.SBOM_COMMON_ARGS}} "
- type: AppendToEnvironmentVariable
variableName: COMMON_NON_QTBASE_TARGET_CMAKE_ARGS
variableValue: " {{.Env.SBOM_COMMON_ARGS}} "
- type: Group
instructions:
- type: AppendToEnvironmentVariable