From e9a95ae4b88cc43657ba89e68fec84d11815fd5a Mon Sep 17 00:00:00 2001 From: Alexandru Croitor Date: Thu, 29 Aug 2024 18:12:58 +0200 Subject: [PATCH] CMake: Add the Qt-specific CPE to 3rd party entity types in SBOM Some vendored 3rd party sources or libraries may not have a CPE because the upstream disappeared, we don't know where the files originally originated from, or no CPE was ever issued. Given that the 3rd party files are shipped with Qt, they can be considered as part of the "Qt" CPE for vulnerability tracking reasons. In such cases, we should add the Qt-specific CPE to the SBOM to ensure that the SBOM is as complete as possible when tooling analyzes the third party packages. Task-number: QTBUG-122899 Change-Id: I32a70e24742a860198f3a6b12bdb4a06057f1ab3 Reviewed-by: Alexey Edelev (cherry picked from commit 3cadd4b1f62479cce88c99cd8c95729ac10a6126) Reviewed-by: Qt Cherry-pick Bot --- cmake/QtPublicSbomHelpers.cmake | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/cmake/QtPublicSbomHelpers.cmake b/cmake/QtPublicSbomHelpers.cmake index a66eb7e56e2..99faea2149a 100644 --- a/cmake/QtPublicSbomHelpers.cmake +++ b/cmake/QtPublicSbomHelpers.cmake @@ -669,22 +669,33 @@ function(_qt_internal_sbom_add_target target) _qt_internal_sbom_get_package_purpose("${arg_TYPE}" package_purpose) list(APPEND project_package_options PURPOSE "${package_purpose}") + set(cpe_args "") + if(arg_CPE) - list(APPEND project_package_options CPE "${arg_CPE}") + list(APPEND cpe_args CPE "${arg_CPE}") endif() + if(arg_CPE_VENDOR AND arg_CPE_PRODUCT) _qt_internal_sbom_compute_security_cpe(custom_cpe VENDOR "${arg_CPE_VENDOR}" PRODUCT "${arg_CPE_PRODUCT}" VERSION "${package_version}") - list(APPEND project_package_options CPE "${custom_cpe}") + list(APPEND cpe_args CPE "${custom_cpe}") endif() + if(qa_cpes) - list(APPEND project_package_options CPE "${qa_cpes}") + list(APPEND cpe_args CPE "${qa_cpes}") endif() - if(is_qt_entity_type) + + # Add the qt-specific CPE if the target is a Qt entity type, or if it's a 3rd party entity type + # without any CPE specified. + if(is_qt_entity_type OR (is_qt_3rd_party_entity_type AND NOT cpe_args)) _qt_internal_sbom_compute_security_cpe_for_qt(cpe_list) - list(APPEND project_package_options CPE "${cpe_list}") + list(APPEND cpe_args CPE "${cpe_list}") + endif() + + if(cpe_args) + list(APPEND project_package_options ${cpe_args}) endif() # Assemble arguments to forward to the function that handles purl options.