CMake: Don't use root attribution file for system libraries

A project's root qt_attribution.json file might be picked up by the
build system when recording system libraries for SBOM processing.
One such case is qtgrpc.

This caused generation errors in qtgrpc with the following message:

CMake Error: Files to be generated by multiple different commands:
 qt_sbom/SPDXRef-Package-qtgrpc-qt-3rdparty-sources-WrapProtobuf.cmake

This started happening since the SBOM options are now implicitly
propagated to auto-created attribution targets, and each attribution
target attempted to generate to the same partial sbom file.

Any qt attribution file in the project root is not intended to be
used for system libraries, so explicitly disable using the
root attribution file for all system libraries.

As a more long-term fix, we should consider making the partial sbom
files be more unique.

Amends 5daabb5a74c4e7c5d087da7f9207d79d2ee05b13

Task-number: QTBUG-122899
Change-Id: I67544c299e630597f26602d270cd1dfd54cccfb6
Reviewed-by:  Alexey Edelev <alexey.edelev@qt.io>
(cherry picked from commit 55b399fdcd12bdfc645d4ec7d25b3c881d11a09a)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
This commit is contained in:
Alexandru Croitor 2024-08-19 17:04:13 +02:00 committed by Qt Cherry-pick Bot
parent c90a8a8c35
commit fecea19254

View File

@ -1654,6 +1654,12 @@ function(_qt_internal_sbom_add_recorded_system_libraries)
continue() continue()
endif() endif()
# Automatic system library sbom recording happens at project root source dir scope, which
# means it might accidentally pick up a qt_attribution.json file from the project root,
# that is not intended to be use for system libraries.
# For now, explicitly disable using the root attribution file.
list(APPEND args NO_CURRENT_DIR_ATTRIBUTION)
list(APPEND generated_package_names "${package_name}") list(APPEND generated_package_names "${package_name}")
set(sbom_generated_${package_name} TRUE) set(sbom_generated_${package_name} TRUE)