The function append the unique entries to the CMAKE_CONFIGURE_DEPENDS
property. This suppress the ninja recompat issue, which complains
about the duplicated entries in that come from the
CMAKE_CONFIGURE_DEPENDS property. It's likely the CMake issue, but
we may work around it.
Pick-to: 6.8 6.9 6.10
Change-Id: I2f10834b0dca3d2aa08fe13fba69849e97fa77d0
Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
We should only pass PROJECT_COMMENT if it has a value.
We also need to escape semicolons, because the project comment might
contain the qt configure line, and that might have passed arguments
like -qpa offscreen\;xcb
Pick-to: 6.8 6.9
Change-Id: I934cf75c376b3466ba91a433d009e6eaa77a60fa
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Move the setting up of options like QT_GENERATE_SBOM into a separate
function, that can be called by projects other than Qt.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I337c4e9b0b3154ff97f494887bf88ee01e8ed00c
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Some attribution entries don't have a SPDX license id specified, in
that case it's good to at least include the free-form license name and
file path.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I75bb5c30645684ea74fe94da92ea30eb29965ad4
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Extract the handling of the license concluded expression for Qt
entities into the Qt specific handling file.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Ib6f9a64f66dae0c971c43e8fffbc54362487b271
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Nested SBOM attribution targets were always created with the
QT_THIRD_PARTY_SOURCES type even in user projects.
Set an appropriate type depending on whether we are handling a qt
entity type or not.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Id8144d1b8093de78f2987a611a6de8e6d4777084
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
It mirrors the Qt-specific QT_THIRD_PARTY_SOURCES one, to be used when
creating an SBOM attribution target that references a 3rd party
library's sources, as opposed to a complete 3rd party library.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I8f7f9f7386ffdc18dd8ae6ee32e39019639f5303
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Put the attribution file path and entry first, followed by the id,
and the rest of the fields.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I478a48980e6207646189d6b80ec57dbc9efb4902
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Allow creating nested SBOM attribution targets also for non-Qt targets
in user projects. This will allow using qt_attribution.json files in
user projects.
Rename PARENT_TARGET to ATTRIBUTION_PARENT_TARGET to make it clear
what the parent target is for.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Ia08ee934a9dc03827fcc26d0fc90e072499e8a21
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Previously one could attach all attributions from a
qt_attribution.json file to a target, or a specific entry based on a
given numeric index.
This is not always practical, as the index of an entry can change, and
including all entries might be too much.
Allow specifying a list of attribution ids to include in the SBOM.
This will parse all the attribution entries and only include those
that match the given ids.
If a list of ids is provided, and any of them is not found, an error
will be shown.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I2ca442fe0cd6d18773861f90f32ab7380aaeacdd
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
So it can be used in other non-Qt projects.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I11d81d2c6819906fffbffe81f4db1b7af28cb99b
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
So it can be read / used in other non-Qt projects. We don't have such
a restriction on other keys read from the qt attribution files.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I225d83b26c68323761a8b13b3e6442057b5f7c7f
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Previously, only 3 purl entries could be added to a target, which
tightly coupled to Qt's needs: a QT one pointing to code.qt.io,
a MIRROR one pointing to github, and an upstream one pointing to some
upstream third party location.
Rework the implementation to allow for an unlimited number of PURL
entries and to allow more flexibility when adding PURLs in a user
project.
The new syntax for adding PURLs to a target, which is also the basis
for a future public API is as follows:
qt_internal_add_sbom(<target>
PURLS
[[PURL_ENTRY
PURL_ID <id>
PURL_TYPE <type>
PURL_NAMESPACE <namespace>
PURL_NAME <name>
PURL_VERSION <version>]...]
PURL_VALUES
[purl-string...]
)
The PURLS keyword is used to specify multiple PURL entries, each
starting with the PURL_ENTRY keyword. The PURL_VALUES keyword is used
to specify a list of pre-built purl strings.
PURL_ID is an optional argument used to identify a specific purl
entry, which is mostly needed for Qt's needs, to post-process them
further.
The rest of the options are pre-existing from the previous
implementation.
Implementation-wise, there's a new custom parser to be able to parse
and validate PURL_ENTRY arguments.
The VERSION option was renamed to PACKAGE_VERSION, to avoid some
issues in cmake_parse_arguments parsing with nested VERSION options.
The NO_PURL option was removed because it makes no sense in the new
implementation, because if you specify some PURL arguments, there is
already an intention to generate a PURL entry.
Qt entities no longer have a restriction on which specific purl ids
they can have.
The new Qt specific purl IDs have been renamed:
- QT -> GENERIC
- MIRROR -> GITHUB
Amends f7e1123620b623be0c321b54eaba7a1d618a7ce1
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I050decece1c6d9e6e0e06547043f864d6f497ea7
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
We should only pass the VERSION option if we have a value to pass.
Fixes warnings like the one below when using CMake 3.31:
CMake Warning (dev) at cmake/QtPublicSbomAttributionHelpers.cmake:511
(cmake_parse_arguments):
The VERSION keyword was followed by an empty string or no value at
all.
Policy CMP0174 is not set, so cmake_parse_arguments() will unset the
arg_VERSION variable rather than setting it to an empty string.
Call Stack (most recent call first):
cmake/QtPublicSbomHelpers.cmake:954
(_qt_internal_sbom_replace_qa_placeholders)
Amends bc3bbb51b7b48d3c4a44a432441938863582242c
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I671a9153d72b21b6aed2112bea45f577a5cee4eb
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
The SBOM functions so far had a lot of Qt-specific logic inside them.
Decouple this logic into separate Qt-specific functions or explicitly
guard the code with Qt-specific handling options, to prepare for a
cleaner SBOM public API.
The generic functions then call the Qt-specific ones if various
internal options are set.
This approach is used, rather than directly passing values to the
generic functions because:
- we have cases where we need to recursively pass the values all the
way down to all recursively created attribution targets
- some of the logic needs to know about values before and after qt
processing, and this could be achieved with something like lambdas
but it's not worth the complexity
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I4399c41f4d976f20b16a0bb0c674d4f07ee1ccd4
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Add a few internal functions to allow
- getting the sbom project supplier
- project supplier url
- project namespace
- computing a project namespace
- computing a project file name
- getting a sanitized spdx id given a hint
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I0dc3df274eaf6882a6af021aabee75501b5083f8
Reviewed-by: Moss Heim <moss.heim@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Add them to the PackageComment field of the SBOM.
Can be useful to map back the SPDX Package to the CMake target or
package.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Icbbb90132038c489b55c4ee7a038aea593ce1ff6
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Replaces content like timestamps, version strings and checksums with
constant values to make the SBOM generation deterministic.
This is useful for reproducible builds, to allow cleaner inter-diffs
while developing new SBOM features.
Can be enabled by configuring with
-DQT_SBOM_FAKE_DETERMINISTIC_BUILD=ON
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Id0003bdd23fe57abd70213a2a108885861693242
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Initially the git vars were assigned to the parent scope of the
_qt_internal_sbom_begin_project function, with the intent to set them
in the global scope. But the function was later wrapped in other
functions, so the variables stopped being accessible.
Instead of playing with recursive PARENT_SCOPEs, save the variables in
global properties like we do for other info, and use a new
_qt_internal_sbom_get_git_version_vars() function to query the vars in
the code that needs them.
This fixes generated purls to contain the git version and hashes.
Also add a new internal API wrapper macro called
qt_internal_sbom_get_git_version_vars to allow calling it
in other repos.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I061b34f418c1ecc1c66c8c01ef758d2f40611ede
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
The SBOM implementation got somewhat large. Split the code into
several new QtPublicSbomFooHelpers.cmake files, to make it more
manageable.
No code or behavior was changed.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Ia0ca1792eec21d12c4bb4cabe63279e1f5c07e3d
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
The correct syntax is IN LISTS, not IN_LIST.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Ibf64e48ffcf0b061887b7b015096d588b14bce57
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
There was a typo in the link_libraries variable name, where an upper
case 'L' was used instead of a lower case 'l'.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I206a161107cf7510856ad8740dada88e12341e94
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Replace instances of $<VERSION> in CPE and PURL strings read from
qt_attribution.json files with the version of the package being
processed.
This avoids duplicating the version in qt_attribution.json files in 3
different fields Version, CPE, and PURL.
Pick-to: 6.8 6.9
Task-number: QTBUG-132181
Change-Id: I91af17c82dbb936739f4811bf86043e00ee49a78
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Add a new qt_internal_sbom_generate_tag_value_spdx_document function
that takes an input SPDX JSON file and generates a tag/value SPDX
file. This is needed by WebEngine to convert the Chromium JSON file to
a tag/value SPDX file so we can reference it as an external document.
To ensure the external document is found, we now always add the
current sbom build directories as install prefixes. This was
previously done only for top-level builds.
To ensure the converted external document is referenced only after it
is converted, it needs to be converted before any targets mention
packages from within it.
A sample usage might be:
qt_internal_sbom_generate_tag_value_spdx_document(
OPERATION_ID qt5compat
INPUT_JSON_FILE_PATH "${external_sbom_file_path}"
OUT_VAR_OUTPUT_FILE_NAME external_output_file_name
OUT_VAR_OUTPUT_ABSOLUTE_FILE_PATH external_output_file_path
)
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Task-number: QTBUG-129901
Task-number: QTBUG-131377
Change-Id: I5d5397f788c8c7960b6fc233c2868244e5816e0b
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Add a new SBOM_RELATIONSHIPS option to qt_internal_extend_target and
friends that allows adding custom relationships to the current target.
Add a new function qt_internal_sbom_add_project_relationship that
allows adding custom relationships to the current project SBOM
document.
A sample usage might be:
qt_internal_sbom_get_project_spdx_id(project_spdx_id)
qt_internal_sbom_get_target_spdx_id(Svg svg_spdx_id)
qt_internal_extend_target(Svg
SBOM_RELATIONSHIPS
"${svg_spdx_id} DESCENDANT_OF ${project_spdx_id}"
)
qt_internal_sbom_add_project_relationship(
RELATIONSHIPS
"${svg_spdx_id} CONTAINS NOASSERTION"
"${svg_spdx_id} DESCRIBES NOASSERTION"
"${project_spdx_id} DESCRIBES NOASSERTION"
)
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Task-number: QTBUG-129901
Task-number: QTBUG-131377
Change-Id: Ie0119ca71b047c7515e1deaf84a5a67ea01b5274
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
This change modifies the existing implementation of the
external references API to have better named options and better
behavior.
It also adds comments and exposes an internal API wrapper around the
existing implementation.
It's meant to be used by qtwebengine to reference the
Chromium-generated SBOM.
As a drive-by, it removes the previously unused RENAME option.
A sample usage could be:
qt_internal_sbom_get_external_document_ref_spdx_id(
"qt5compat" document_ref_spdx_id)
qt_internal_sbom_add_external_reference(
EXTERNAL_DOCUMENT_FILE_PATH "/path/to/qt5compat-6.8.1.spdx.json"
EXTERNAL_DOCUMENT_SPDX_ID "${document_ref_spdx_id}"
)
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Task-number: QTBUG-129901
Task-number: QTBUG-131377
Change-Id: I13d0fe4d803449bec42f8b454c8131e4d727669a
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Moss Heim <moss.heim@qt.io>
This change introduces a new SBOM API to add info about various kinds
of files to a target SBOM package. The new function name is called
qt_internal_sbom_add_files().
The motivating case is including SBOM information for qt translation
files, resources (e.g. webengine data files) and any other kind of
custom files.
A sample call might look like:
qt_internal_sbom_add_files(Translations
FILES "${qm_files}"
SOURCE_FILES_ONE_PER_INPUT_FILE "${ts_files}"
FILE_TYPE "QT_TRANSLATION"
INSTALL_PATH "${INSTALL_TRANSLATIONSDIR}"
)
While the motivating case is Qt-specific, the function implementation
is being somewhat future proofed for the not-yet created public SBOM
API.
The new API supports adding files to any target that is backed by an
SBOM package, so all targets created by qt_internal_add_module()
and friends, as well as ones created by qt_internal_add_sbom().
It can be called multiple times for the same target, with a different
set of files, to e.g. assign a different license, or file type per
file set. Note that the file set doesn't have anything to do with
CMake's concept of file sets.
The function is also multi-config aware, and allows specifying
different install paths per config, as well as generator expressions
in file names. But the multi-config support is a bit wonky, and might
need some rethinking in the future.
Note that the custom files must be installed and available in the
specified qt install path, because the file contents will be
checksummed at install time and embedded into the sbom document.
Calling the new API does not do installation itself.
Implementation wise, the function call flow is
- project calls qt_internal_sbom_add_files() one or more times
- at finalization time, the _qt_internal_sbom_add_target finalizer is
called for a target, which then calls
_qt_internal_sbom_handle_target_custom_files()
- the latter calls _qt_internal_sbom_handle_target_custom_file_set()
for each file set that was added to the target
- the latter calls _qt_internal_sbom_handle_multi_config_custom_file()
for each input file in the file set, which ultimately calls
_qt_internal_sbom_add_custom_file()
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Task-number: QTBUG-128320
Change-Id: Iafde26ebd68f4168b49e55fbc8ad1c251e98d4b0
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Previously Python and other sbom tooling was looked up at SBOM
project end time.
This was fine for the use cases we had so far, but it prevents
introducing new API that wants call the spdx tools before the end of
the project. Such API will be introduced in a follow up change.
Move the python interpreter, python dependency lookup and other sbom
tooling setup to happen at project begin time.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Task-number: QTBUG-129901
Task-number: QTBUG-131377
Change-Id: Ic8884e378c0ffd9720ede26b0c61f4122f3bb9d9
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Certain repositories like qtwebengine contain multiple projects from
the perspective of online installer packaging. In this case the
QtWebEngine and QtPdf projects are expected to have separate SBOM
documents.
Introduce a new QT_SKIP_SBOM_AUTO_PROJECT variable that can be set
before qt_build_repo to disable the auto-generation of an SBOM
document for the current repo project.
Introduce two new internal functions
qt_internal_sbom_begin/end_qt_repo_project to allow to manually start
and end the SBOM generation for a project within a repo.
Because the intermediate file names that assemble the SBOM use the
project name as a key, and the project name would be the same for
qtwebengine, allow differentiating between the current project name
and the real qt repo project name.
The current project name is used for the file names, whereas the
real qt repo project name is used to extract the dependencies on
other repos, to ensure correct dependency build rules.
As a drive-by, improve the document dir path search list when an SBOM
document can't be found.
Pick-to: 6.8
Task-number: QTBUG-128893
Task-number: QTBUG-122899
Change-Id: I61b68098242e7c49b98420265c29af78303c3233
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Before this change, the SBOM generation only considered the
CMAKE_INSTALL_PREFIX set at configure time for the purposes of file
checksum computation, external document lookup, and SBOM file
installation.
When cmake --install . --prefix <path> is used, the install time
CMAKE_INSTALL_PREFIX variable is overridden with the provided path,
and can be different from the configure time value.
This path was applied to the installation of regular files, libraries,
etc, but not to the SBOM generation. This caused issues like not being
able to find a library to compute its checksum.
Instead of hard-coding the value to QT_STAGING_PREFIX, just don't pass
a value at all, and rely on the new default of using an
install-time-evaluated \${CMAKE_INSTALL_PREFIX}.
Keep the ability of specifying a custom prefix just in case.
Modify all the code that used a hard-coded CMAKE_INSTALL_PREFIX to use
a install-time-evaluated one instead.
As a drive-by, also set a proper default value for the INSTALL_SBOM_DIR
option.
Pick-to: 6.8
Fixes: QTBUG-131883
Change-Id: Ifde6ab282ac40f10c5bf51976121065c7dc631eb
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
The standalone build of the sqldrivers plugin never called the SBOM
project begin and end functions.
This cause an error in qt_internal_add_plugin which tried to read the
SBOM project name.
Replace the calls to qt_prepare_standalone_project and
qt_print_feature_summary with qt_build_repo_begin and
qt_build_repo_end.
This ensures the SBOM project is setup, as well as many other
behaviors that a standalone internal build of a module is expected to
have.
Additionally we need to tell the SBOM project where to find the
licenses for the standalone build. This is done by setting the new
QT_SBOM_LICENSE_DIRS variable to the qtbase license directory.
Pick-to: 6.8
Fixes: QTBUG-131799
Change-Id: I2e31ecffdff28561d1c4a6b8fbcd8125188d2c48
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Use string(FIND) instead of if(MATCH) since paths containing special
regex symbols like "+", can either cause an invalid MATCH result or it
can lead to regex compilation errors like
RegularExpression::compile(): Nested *?+.
RegularExpression::compile(): Error in compile.
Amends 6e7f871edfd35174b40c7eb7386282bfe019f276
Pick-to: 6.8
Fixes: QTBUG-131782
Task-number: QTBUG-122899
Task-number: QTBUG-130557
Change-Id: I59a2c3e4fe2431303c7cbca8fd54360f254da90f
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Filter out source files that are not actually sources, like pkg config
files and json.gen files.
To make the output more reproducible, replace the absolute source and
build directories with relative paths prepended with a marker like
/src_dir/ and /build_dir/.
Apply this to source file paths and to qt attribution json file paths.
Genex wrapped sources still need to be handled, but that will come in
a later change.
Amends 37a5e001277db9e1392a242171ab2b88cb6c3049
Pick-to: 6.8
Task-number: QTBUG-122899
Task-number: QTBUG-130557
Change-Id: Ic38cd9df827c1da770c1f337bc4725748bed5560
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
When Qt is configured using the configure script, rather than directly
via CMake, we can obtain the full list of configure arguments passed
from the config.opt file.
Add the configure line to the repo project SBOM package comment field
when it is available.
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I0c5554dcda2f71ec4ba034b14c82a99757dc790c
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Previously SBOM generation was opt-in.
This patch changes the generation of the plain-text tag:value SBOM
to be enabled by default, except for:
- developer builds
- no-prefix builds
- standalone tests or examples
- cmake build tests
The JSON SBOM generation and the verification steps have also been
changed to be enabled by default, but only if the Python dependencies
can be found. If the dependencies are not found, the build will
skip the generation and verification steps.
Four new configure options have been added to control these aspects:
-(no-)sbom-json: Allows explicitly enabling or disabling JSON SBOM
generation
-(no-)sbom-json-required: Fails the build if JSON SBOM generation
Python dependencies are not found
-(no-)sbom-verify: Allows explicitly enabling or disabling SBOM
verification
-(no-)sbom-verify-required: Fails the build if SBOM verification
Python dependencies are not found
There are corresponding CMake variables for each of the configure
options, see the cmake mapping document.
[ChangeLog][Build Systems] SBOM generation is now enabled by default,
when building Qt, except for developer builds and no-prefix builds.
JSON SBOM generation is enabled by default if the required Python
dependencies are available.
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I6dbe1869f8342154a89ff2ab84ac53c9ef1b2eb7
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
This will allow us to run only the first, but not the second, if the
second won't have it's dependencies met.
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I141b4bd3b76a71495c760a118bdf1397ee7e16b5
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Otherwise the spdx id recording function might fail when trying to
retrieve the spdx id from the non-existent target.
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I1f6b3d7bc88ff4aa28de1468cd86152747cc3bdb
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Otherwise the SBOM is not regenerated if the attribution files are
modified.
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I5b3f62e254aa70021ed06fac73f881bcbb110c31
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Some vendored 3rd party sources or libraries may not have a CPE
because the upstream disappeared, we don't know where the files
originally originated from, or no CPE was ever issued.
Given that the 3rd party files are shipped with Qt, they can
be considered as part of the "Qt" CPE for vulnerability tracking
reasons.
In such cases, we should add the Qt-specific CPE to the SBOM to ensure
that the SBOM is as complete as possible when tooling analyzes the
third party packages.
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I32a70e24742a860198f3a6b12bdb4a06057f1ab3
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Qt attribution json files might want to specify more than one PURL or
CPE for a given entry. Change the build system code to detect whether
a JSON PURL or CPE key contains an array of values, and if so, convert
it to a cmake list and use that for further SBOM handling.
As a result, the PURL_QT_VALUE, PURL_3RDPARTY_UPSTREAM_VALUE, and
PURL_MIRROR_VALUE getting an 'S' at the end, aka they are renamed to
PURL_QT_VALUES, PURL_3RDPARTY_UPSTREAM_VALUES, and PURL_MIRROR_VALUES.
Also the attribution key is now called just PURL instead of
UpstreamPURL.
The CPE json attribution key and option name stay the same.
Amends 47fd38be4bce0958fcfce8080d1580c4e3c2a15b
Amends 95b7fe49900904d19fca21876c84f97c2a6ae03d
Amends f7e1123620b623be0c321b54eaba7a1d618a7ce1
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: Ieec919901c3b44df80bc196536f68632a9761d92
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Instead, the package name should be determined by the sub-attribution
target name. Otherwise the build system will try to generate multiple
files with the same name, but different content.
Amends 5daabb5a74c4e7c5d087da7f9207d79d2ee05b13
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I10b4ec2fe8f38d70d13918dc980d1bd1d9145cb6
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
A project's root qt_attribution.json file might be picked up by the
build system when recording system libraries for SBOM processing.
One such case is qtgrpc.
This caused generation errors in qtgrpc with the following message:
CMake Error: Files to be generated by multiple different commands:
qt_sbom/SPDXRef-Package-qtgrpc-qt-3rdparty-sources-WrapProtobuf.cmake
This started happening since the SBOM options are now implicitly
propagated to auto-created attribution targets, and each attribution
target attempted to generate to the same partial sbom file.
Any qt attribution file in the project root is not intended to be
used for system libraries, so explicitly disable using the
root attribution file for all system libraries.
As a more long-term fix, we should consider making the partial sbom
files be more unique.
Amends 5daabb5a74c4e7c5d087da7f9207d79d2ee05b13
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I67544c299e630597f26602d270cd1dfd54cccfb6
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Also split up the CPE handling to allow for more values to be set,
rather than preferring the first one that is encountered.
Pick-to: 6.8
Task-number: QTBUG-122899
Change-Id: I3209cb5d66f5483c7294b40816431d9df75e00e5
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
