From ad0ed9fe307ac01ceb3fadd32816ada961a5afa6 Mon Sep 17 00:00:00 2001 From: Alexandru Croitor Date: Thu, 18 Jul 2024 16:32:24 +0200 Subject: [PATCH] CMake: Don't add platform CPE to SBOM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It triggers vulnerabilities when loading the SBOM into tools that look for CVEs matching those CPEs. Pick-to: 6.8 Task-number: QTBUG-122899 Change-Id: Ic4949ca5749ce4e297344760d3500d982c9a4449 Reviewed-by: Kai Köhne --- cmake/QtPublicSbomGenerationHelpers.cmake | 63 +---------------------- 1 file changed, 1 insertion(+), 62 deletions(-) diff --git a/cmake/QtPublicSbomGenerationHelpers.cmake b/cmake/QtPublicSbomGenerationHelpers.cmake index 81d704fe60b..d86ee8e3ba9 100644 --- a/cmake/QtPublicSbomGenerationHelpers.cmake +++ b/cmake/QtPublicSbomGenerationHelpers.cmake @@ -18,59 +18,6 @@ function(qt_internal_sbom_set_default_option_value_and_error_if_empty option_nam endif() endfunction() -# Computes the current platform CPE. -# Mostly matches the OS and architecture. -function(_qt_internal_sbom_get_platform_cpe out_var) - set(cpe "") - - if(CMAKE_SYSTEM_PROCESSOR) - set(system_processor "${CMAKE_SYSTEM_PROCESSOR}") - else() - set(system_processor "*") - endif() - - if(WIN32) - if("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "AMD64") - set(arch "x64") - elseif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "IA64") - set(arch "x64") - elseif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "ARM64") - set(arch "arm64") - elseif("${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "X86") - set(arch "x86") - elseif(CMAKE_CXX_COMPILER MATCHES "64") - set(arch "x64") - elseif(CMAKE_CXX_COMPILER MATCHES "86") - set(arch "x86") - else() - set(arch "*") - endif() - - if("${CMAKE_SYSTEM_VERSION}" STREQUAL "6.1") - set(cpe "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:${arch}:*") - elseif("${CMAKE_SYSTEM_VERSION}" STREQUAL "6.2") - set(cpe "cpe:2.3:o:microsoft:windows_8:-:*:*:*:*:*:${arch}:*") - elseif("${CMAKE_SYSTEM_VERSION}" STREQUAL "6.3") - set(cpe "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:${arch}:*") - elseif("${CMAKE_SYSTEM_VERSION}" GREATER_EQUAL 10) - set(cpe "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:${arch}:*") - else() - set(cpe "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:${arch}:*") - endif() - elseif(APPLE) - set(cpe "cpe:2.3:o:apple:mac_os:*:*:*:*:*:*:${system_processor}:*") - elseif(UNIX) - set(cpe "cpe:2.3:o:*:*:-:*:*:*:*:*:${system_processor}:*") - elseif(CMAKE_SYSTEM_PROCESSOR MATCHES "arm") - set(cpe "cpe:2.3:o:arm:arm:-:*:*:*:*:*:*:*") - else() - message(DEBUG "Can't compute CPE for unsupported platform") - set(cpe "cpe:2.3:o:*:*:-:*:*:*:*:*:*:*") - endif() - - set(${out_var} "${cpe}" PARENT_SCOPE) -endfunction() - # Helper that returns the directory where the intermediate sbom files will be generated. function(_qt_internal_get_current_project_sbom_dir out_var) set(sbom_dir "${PROJECT_BINARY_DIR}/qt_sbom") @@ -135,8 +82,7 @@ function(_qt_internal_sbom_begin_project_generate) if(arg_CPE) set(QT_SBOM_CPE "${arg_CPE}") else() - _qt_internal_sbom_get_platform_cpe(platform_cpe) - set(QT_SBOM_CPE "${platform_cpe}") + set(QT_SBOM_CPE "") endif() string(REGEX REPLACE "[^A-Za-z0-9.]+" "-" arg_PROJECT_FOR_SPDX_ID "${arg_PROJECT_FOR_SPDX_ID}") @@ -829,13 +775,6 @@ PackageComment: ${arg_COMMENT}" ) endif() - _qt_internal_sbom_get_platform_cpe(platform_cpe) - if(NOT arg_CPE) - set(fields "${fields} -ExternalRef: SECURITY cpe23Type ${platform_cpe}" - ) - endif() - foreach(cpe IN LISTS arg_CPE) set(fields "${fields} ExternalRef: SECURITY cpe23Type ${cpe}"