Introduce two new options for SBOM entity type specification:
- SBOM_ENTITY_TYPE: has the highest priority
- DEFAULT_SBOM_ENTITY_TYPE: Used as a fallback when no explicit type
is given.
Deprecate the old pre-existing TYPE option in favor of either
SBOM_ENTITY_TYPE or DEFAULT_SBOM_ENTITY_TYPE.
The reason is to allow forwarding these option names directly via
functions like qt_internal_add_sbom, or the Creator equivalents,
without having a potential clash with a very generic name like TYPE.
Adjust the code to use the new options inside the various
implementation functions, but keep the old TYPE option for
compatibility in the public facing APIs, to not break existing
callers.
Pick-to: 6.8 6.9 6.10
Task-number: QTBUG-134894
Change-Id: I36cd6c4a5dab19221efacbe32688eab7db4f142f
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
If a project is configured with an empty CMAKE_BUILD_TYPE, the SBOM
logic would skip adding any of the target files to the SBOM, because
it tried to iterate on the list of available configs.
Make sure to specify a custom "<EMPTY_CONFIG>" config in that case,
so that the loop doesn't become a no-op.
Pick-to: 6.8 6.9 6.10
Task-number: QTBUG-134894
Change-Id: I789a2d4d00375722d5b7257fd02ecf5ab4f0129e
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
This ensures that both _qt_internal_extend_sbom and
_qt_internal_add_sbom will trigger sbom finalization for targets.
Previously only _qt_internal_add_sbom would run the finalization,
which is counter-intuitive.
One caveat is that we need to ensure we don't run finalization for
system libraries as a result of the change. Finalization of system
libraries is handled in a different pre-existing code path.
We also shouldn't call _qt_internal_extend_sbom for
qt_internal_extend_target if there are no SBOM, otherwise we trigger
SBOM creation for targets like FooModulePrivate, which will trigger an
error later because they don't have a TYPE. This might be revisited
later if it makes sense to generate SBOM entries for such targets.
Pick-to: 6.8 6.9 6.10
Task-number: QTBUG-134894
Change-Id: Ic14653f6baa920da46617061d8701ed9b94df093
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Otherwise we generate an invalid package by setting FilesAnalyzed to
false, even though the package has custom files.
Add a check that the parent package SPDX ID is always set when
generating a file entry.
Amends 5180b172d9
Pick-to: 6.8 6.9 6.10
Change-Id: Ia96802c98e2d946b1360b5e32525a3ecf4cd2750
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Packages that don't contain files should have the FilesAnalyzed field
set to false, and should not include a PackageVerificationCode.
Previously we always set FilesAnalyzed to true for any package, and
we only provided a PackageVerificationCode for the top-level repo
package which doesn't actually have files.
The decision whether a package has a file is quite involved, because
it is influenced by the presence of either binary files or custom
files.
To reliably detect this without rewriting a lot of the code, we
postpone the value of FilesAnalyzed to the end of the sbom generation
process, where we can check if any files were added to the package.
This is achieved by setting a package-specific variable to either true
or false, with the final value being evaluated by a configure_file.
To correctly handle PackageVerificationCode, we now collect all file
SHA1s per package, rather than per repo, and compute the verification
code for each package. This is done in a similar fashion to the
FilesAnalyzed field, in a multi-step process, with a final replacement
in configure_file.
The root package doesn't get a PackageVerificationCode anymore because
it doesn't have files.
This fixes the warnings reported by the spdx online validator at
https://tools.spdx.org/app/validate/ which uses the java-based
validator from https://github.com/spdx/tools-java/
Pick-to: 6.8 6.9 6.10
Change-Id: I59c4279de6b159a22d6cb36af4b53bc4dea9901b
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
When building in a non-prefix build, we put synced headers into the
qtbase build dir, aka the prefix dir. In that case these source files
are neither in the source dir nor in the build dir.
Map such paths with the /install_dir marker, to make the paths
reproducible, regardless of the build dir.
Also add a DEBUG message to more easily detect such cases in the
future if needed.
Fixes: QTBUG-136163
Pick-to: 6.8 6.9 6.10
Change-Id: Id0b515d50adc8e8da384fe481641f171517b9150
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
If a developer configured Qt with
-DQT_GENERATE_SBOM=ON
-DQT_BUILD_TESTS=ON
-DQT_BUILD_TESTS_BY_DEFAULT=OFF
The would get the following error upon installation of qtmultimedia:
CMake Error at
qt_sbom/SPDXRef-PackagedFile-qt-plugin-MockMultimediaPlugin.cmake:5
(message):
Cannot find 'plugins/multimedia/libmockmultimediaplugin.a' to
compute its checksum.
This happens because QT_BUILD_TESTS_BY_DEFAULT == ON sets the
EXCLUDE_FROM_ALL directory property on the tests directory, which
means all plugins created under tests/ subdir are not installed by
default, and the SBOM code could not read the installed files to check
the checksums.
In such a case, set a QT_INTERNAL_TEST_TARGETS_EXCLUDE_FROM_ALL
directory-scoped variable in the tests/ subdir, and use that as a
marker for the sbom code to know it should skip the checksum check.
Pick-to: 6.8 6.9
Fixes: QTBUG-137168
Change-Id: I970c3bc5732cc648549e5099fa1d50b3b39cb26f
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
It's possible for a project to install a custom file with the same name
into different destination directories, and want to include them in
the SBOM.
Previously this failed at CMake generation time with an error like:
CMake Error: Files to be generated by multiple different commands:
qt_sbom/SPDXRef-PackagedFile-foo-bar.cmake
This happened due to using a non-unique filename for the generated
SBOM building file, as well as the spdx id the file name is based on.
Include a short hash based on the installed relative path of the file
to avoid spdx id clashes, and thus generated file name clashes.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I4c2ecd4652708504ef299af9b6f53d680d542382
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Previously one could only pass an explicit list of FILES to
_qt_internal_sbom_add_files. Add a new DIRECTORIES option, which will
glob the given directory paths, and include the found files in the
SBOM.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Ia27afa93460d9f2e4462a49e30e4d6338300e8f7
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
It mirrors the Qt-specific QT_THIRD_PARTY_SOURCES one, to be used when
creating an SBOM attribution target that references a 3rd party
library's sources, as opposed to a complete 3rd party library.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I8f7f9f7386ffdc18dd8ae6ee32e39019639f5303
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Makes it easier to debug diffs of SBOMs, due to lower amount of
content in generated files.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: I5a1e8a9868cda199de4a7344b86a12f68fec31bf
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
The SBOM implementation got somewhat large. Split the code into
several new QtPublicSbomFooHelpers.cmake files, to make it more
manageable.
No code or behavior was changed.
Pick-to: 6.8 6.9
Task-number: QTBUG-122899
Change-Id: Ia0ca1792eec21d12c4bb4cabe63279e1f5c07e3d
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Alexandru Croitor
Cristian Le
Moss Heim