1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CMake: Add the Qt-specific CPE to 3rd party entity types in SBOM

Browse Source 
Some vendored 3rd party sources or libraries may not have a CPE
because the upstream disappeared, we don't know where the files
originally originated from, or no CPE was ever issued.

Given that the 3rd party files are shipped with Qt, they can
be considered as part of the "Qt" CPE for vulnerability tracking
reasons.

In such cases, we should add the Qt-specific CPE to the SBOM to ensure
that the SBOM is as complete as possible when tooling analyzes the
third party packages.

Task-number: QTBUG-122899
Change-Id: I32a70e24742a860198f3a6b12bdb4a06057f1ab3
Reviewed-by:  Alexey Edelev <alexey.edelev@qt.io>
(cherry picked from commit 3cadd4b1f62479cce88c99cd8c95729ac10a6126)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Alexandru Croitor 2024-08-29 18:12:58 +02:00 committed by Qt Cherry-pick Bot
parent efc3a9972d
commit e9a95ae4b8
1 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
cmake/QtPublicSbomHelpers.cmake
View File

@ -669,22 +669,33 @@ function(_qt_internal_sbom_add_target target)
_qt_internal_sbom_get_package_purpose("${arg_TYPE}" package_purpose)
list(APPEND project_package_options PURPOSE "${package_purpose}")
set(cpe_args "")
if(arg_CPE)
list(APPEND project_package_options CPE "${arg_CPE}")
list(APPEND cpe_args CPE "${arg_CPE}")
endif()
if(arg_CPE_VENDOR AND arg_CPE_PRODUCT)
_qt_internal_sbom_compute_security_cpe(custom_cpe
VENDOR "${arg_CPE_VENDOR}"
PRODUCT "${arg_CPE_PRODUCT}"
VERSION "${package_version}")
list(APPEND project_package_options CPE "${custom_cpe}")
list(APPEND cpe_args CPE "${custom_cpe}")
endif()
if(qa_cpes)
list(APPEND project_package_options CPE "${qa_cpes}")
list(APPEND cpe_args CPE "${qa_cpes}")
endif()
if(is_qt_entity_type)
# Add the qt-specific CPE if the target is a Qt entity type, or if it's a 3rd party entity type
# without any CPE specified.
if(is_qt_entity_type OR (is_qt_3rd_party_entity_type AND NOT cpe_args))
_qt_internal_sbom_compute_security_cpe_for_qt(cpe_list)
list(APPEND project_package_options CPE "${cpe_list}")
list(APPEND cpe_args CPE "${cpe_list}")
endif()
if(cpe_args)
list(APPEND project_package_options ${cpe_args})
endif()
# Assemble arguments to forward to the function that handles purl options.