CMake: Support cmake --install . --prefix <path> for SBOM generation

Before this change, the SBOM generation only considered the CMAKE_INSTALL_PREFIX set at configure time for the purposes of file checksum computation, external document lookup, and SBOM file installation. When cmake --install . --prefix <path> is used, the install time CMAKE_INSTALL_PREFIX variable is overridden with the provided path, and can be different from the configure time value. This path was applied to the installation of regular files, libraries, etc, but not to the SBOM generation. This caused issues like not being able to find a library to compute its checksum. Instead of hard-coding the value to QT_STAGING_PREFIX, just don't pass a value at all, and rely on the new default of using an install-time-evaluated \${CMAKE_INSTALL_PREFIX}. Keep the ability of specifying a custom prefix just in case. Modify all the code that used a hard-coded CMAKE_INSTALL_PREFIX to use a install-time-evaluated one instead. As a drive-by, also set a proper default value for the INSTALL_SBOM_DIR option. Pick-to: 6.8 Fixes: QTBUG-131883 Change-Id: Ifde6ab282ac40f10c5bf51976121065c7dc631eb Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
2024-12-04 17:49:59 +01:00 · 2024-12-04 17:49:59 +01:00 · ffef516884
commit ffef516884
parent 3a8a8b4290
3 changed files with 40 additions and 6 deletions
--- a/cmake/QtBuildRepoHelpers.cmake
+++ b/cmake/QtBuildRepoHelpers.cmake
@ -353,7 +353,6 @@ macro(qt_build_repo_begin)
    endif()

    _qt_internal_sbom_begin_project(
-        INSTALL_PREFIX "${QT_STAGING_PREFIX}"
        INSTALL_SBOM_DIR "${INSTALL_SBOMDIR}"
        QT_CPE
    )
--- a/cmake/QtPublicSbomGenerationHelpers.cmake
+++ b/cmake/QtPublicSbomGenerationHelpers.cmake
@ -65,7 +65,7 @@ function(_qt_internal_sbom_begin_project_generate)
    set(default_sbom_file_name
        "${arg_PROJECT}/${arg_PROJECT}-sbom-${QT_SBOM_GIT_VERSION_PATH}.spdx")
    set(default_install_sbom_path
-        "${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/${default_sbom_file_name}")
+        "\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_DATAROOTDIR}/${default_sbom_file_name}")

    qt_internal_sbom_set_default_option_value(OUTPUT "${default_install_sbom_path}")
    qt_internal_sbom_set_default_option_value(OUTPUT_RELATIVE_PATH
@ -636,7 +636,9 @@ FileCopyrightText: NOASSERTION"
    if(arg_INSTALL_PREFIX)
        set(install_prefix "${arg_INSTALL_PREFIX}")
    else()
-        set(install_prefix "${CMAKE_INSTALL_PREFIX}")
+        # The variable is escaped, so it is evaluated during cmake install time, so that the value
+        # can be overridden with cmake --install . --prefix <path>.
+        set(install_prefix "\${CMAKE_INSTALL_PREFIX}")
    endif()

    set(content "
@ -728,18 +730,28 @@ function(_qt_internal_sbom_generate_add_external_reference)
    _qt_internal_get_staging_area_spdx_file_path(staging_area_spdx_file)

    set(install_prefixes "")
+
+    # Always append the install time install prefix.
+    # The variable is escaped, so it is evaluated during cmake install time, so that the value
+    # can be overridden with cmake --install . --prefix <path>.
+    list(APPEND install_prefixes "\${CMAKE_INSTALL_PREFIX}")
+
    if(arg_INSTALL_PREFIXES)
        list(APPEND install_prefixes ${arg_INSTALL_PREFIXES})
    endif()
+
    if(QT6_INSTALL_PREFIX)
        list(APPEND install_prefixes ${QT6_INSTALL_PREFIX})
    endif()
+
    if(QT_ADDITIONAL_PACKAGES_PREFIX_PATH)
        list(APPEND install_prefixes ${QT_ADDITIONAL_PACKAGES_PREFIX_PATH})
    endif()
+
    if(QT_ADDITIONAL_SBOM_DOCUMENT_PATHS)
        list(APPEND install_prefixes ${QT_ADDITIONAL_SBOM_DOCUMENT_PATHS})
    endif()
+
    list(REMOVE_DUPLICATES install_prefixes)

    set(relationship_content "")
--- a/cmake/QtPublicSbomHelpers.cmake
+++ b/cmake/QtPublicSbomHelpers.cmake
@ -4,9 +4,16 @@
 # Starts repo sbom generation.
 # Should be called before any targets are added to the sbom.
 #
-# INSTALL_PREFIX should be passed a value like CMAKE_INSTALL_PREFIX or QT_STAGING_PREFIX
+# INSTALL_PREFIX should be passed a value like CMAKE_INSTALL_PREFIX or QT_STAGING_PREFIX.
+# The default value is \${CMAKE_INSTALL_PREFIX}, which is evaluated at install time, not configure
+# time.
+# This default value is the /preferred/ value, to ensure using cmake --install . --prefix <path>
+# works correctly for lookup of installed files during SBOM generation.
+#
 # INSTALL_SBOM_DIR should be passed a value like CMAKE_INSTALL_DATAROOTDIR or
-#   Qt's INSTALL_SBOMDIR
+#   Qt's INSTALL_SBOMDIR.
+# The default value is "sbom".
+#
 # SUPPLIER, SUPPLIER_URL, DOCUMENT_NAMESPACE, COPYRIGHTS are self-explanatory.
 function(_qt_internal_sbom_begin_project)
    # Allow opt out via an internal variable. Will be used in CI for repos like qtqa.
@ -123,12 +130,28 @@ function(_qt_internal_sbom_begin_project)
        set(version_suffix "")
    endif()

+    if(arg_INSTALL_SBOM_DIR)
+        set(install_sbom_dir "${arg_INSTALL_SBOM_DIR}")
+    elseif(INSTALL_SBOMDIR)
+        set(install_sbom_dir "${INSTALL_SBOMDIR}")
+    else()
+        set(install_sbom_dir "sbom")
+    endif()
+
+    if(arg_INSTALL_PREFIX)
+        set(install_prefix "${arg_INSTALL_PREFIX}")
+    else()
+        # The variable is escaped, so it is evaluated during cmake install time, so that the value
+        # can be overridden with cmake --install . --prefix <path>.
+        set(install_prefix "\${CMAKE_INSTALL_PREFIX}")
+    endif()
+
    set(repo_spdx_relative_install_path
        "${arg_INSTALL_SBOM_DIR}/${repo_project_name_lowercase}${version_suffix}.spdx")

    # Prepend DESTDIR, to allow relocating installed sbom. Needed for CI.
    set(repo_spdx_install_path
-        "\$ENV{DESTDIR}${arg_INSTALL_PREFIX}/${repo_spdx_relative_install_path}")
+        "\$ENV{DESTDIR}${install_prefix}/${repo_spdx_relative_install_path}")

    if(arg_LICENSE_EXPRESSION)
        set(repo_license "${arg_LICENSE_EXPRESSION}")