From dc5c7f9ead7e47b92c5717ca24d585a718a8b5f0 Mon Sep 17 00:00:00 2001 From: Alexandru Croitor Date: Thu, 27 Feb 2025 16:53:23 +0100 Subject: [PATCH] CMake: Add function to set up SBOM generation defaults Move the setting up of options like QT_GENERATE_SBOM into a separate function, that can be called by projects other than Qt. Pick-to: 6.8 6.9 Task-number: QTBUG-122899 Change-Id: I337c4e9b0b3154ff97f494887bf88ee01e8ed00c Reviewed-by: Alexey Edelev --- cmake/QtBuildOptionsHelpers.cmake | 14 +++-------- cmake/QtPublicSbomHelpers.cmake | 40 +++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 11 deletions(-) diff --git a/cmake/QtBuildOptionsHelpers.cmake b/cmake/QtBuildOptionsHelpers.cmake index 1f7b72cf1cd..027924103d9 100644 --- a/cmake/QtBuildOptionsHelpers.cmake +++ b/cmake/QtBuildOptionsHelpers.cmake @@ -344,17 +344,9 @@ endfunction() macro(qt_internal_setup_sbom) qt_internal_compute_sbom_default(_qt_generate_sbom_default) - option(QT_GENERATE_SBOM "Generate SBOM documents in SPDX v2.3 tag:value format." - "${_qt_generate_sbom_default}") - - option(QT_SBOM_GENERATE_JSON - "Generate SBOM documents in SPDX v2.3 JSON format if dependencies are available" ON) - option(QT_SBOM_REQUIRE_GENERATE_JSON - "Error out if JSON SBOM generation dependencies are not found." OFF) - - option(QT_SBOM_VERIFY "Verify generated SBOM documents." ON) - option(QT_SBOM_REQUIRE_VERIFY - "Error out if SBOM verification dependencies are not found." OFF) + _qt_internal_setup_sbom( + GENERATE_SBOM_DEFAULT "${_qt_generate_sbom_default}" + ) endmacro() macro(qt_internal_setup_build_examples) diff --git a/cmake/QtPublicSbomHelpers.cmake b/cmake/QtPublicSbomHelpers.cmake index f9f83dd1185..3767fb4ff26 100644 --- a/cmake/QtPublicSbomHelpers.cmake +++ b/cmake/QtPublicSbomHelpers.cmake @@ -346,6 +346,46 @@ function(_qt_internal_sbom_setup_project_ops) _qt_internal_sbom_setup_project_ops_generation(${options}) endfunction() +# Sets up SBOM generation and verification options. +# By default SBOM generation is disabled. +# By default JSON generation and SBOM verification are enabled by default, if the dependencies +# are present, otherwise they will be silently skipped. Unless the user explicitly requests to +# fail the build if the dependencies are not found. +# +# The QT_GENERATE_SBOM_DEFAULT option can be set by a project to change the default value. +function(_qt_internal_setup_sbom) + set(opt_args "") + set(single_args + GENERATE_SBOM_DEFAULT + ) + set(multi_args "") + + cmake_parse_arguments(PARSE_ARGV 0 arg "${opt_args}" "${single_args}" "${multi_args}") + _qt_internal_validate_all_args_are_parsed(arg) + + set(default_value "OFF") + if(NOT "${arg_GENERATE_SBOM_DEFAULT}" STREQUAL "") + set(default_value "${arg_GENERATE_SBOM_DEFAULT}") + endif() + + option(QT_GENERATE_SBOM "Generate SBOM documents in SPDX v2.3 tag:value format." + "${default_value}") + + string(CONCAT help_string + "Generate SBOM documents in SPDX v2.3 JSON format if required python dependency " + "spdx-tools is available" + ) + + option(QT_SBOM_GENERATE_JSON + "${help_string}" ON) + option(QT_SBOM_REQUIRE_GENERATE_JSON + "Error out if JSON SBOM generation depdendency is not found." OFF) + + option(QT_SBOM_VERIFY "Verify generated SBOM documents using python spdx-tools package." ON) + option(QT_SBOM_REQUIRE_VERIFY + "Error out if SBOM verification dependencies are not found." OFF) +endfunction() + # Ends repo sbom project generation. # Should be called after all relevant targets are added to the sbom. # Handles registering sbom info for recorded system libraries and then creates the sbom build