Doc: Add Software Bill of Materials (SBOM) overview

Overview of how Qt uses SBOM files. Basic information for people looking for SBOM files and links to the relevant specifications within QUIP and SPDX. Add links in relevant pages. Fixes: QTBUG-129370 Pick-to: 6.8 Change-Id: I2cc501bdb9c338e52131e9c782d7c9dd9a44af22 Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io>
2024-09-26 18:00:43 +02:00 · 2024-09-26 18:00:43 +02:00 · 4959dd4831
parent a9ac82bffd
commit 4959dd4831
3 changed files with 194 additions and 0 deletions
--- a/doc/src/legal/licenses.qdoc
+++ b/doc/src/legal/licenses.qdoc
@ -84,6 +84,18 @@
    \list
        \li \l {Third-Party Code Used in Qt}
    \endlist
+
+    \section1 Software Bill of Materials (SBOM)
+
+    Starting from Qt 6.8, Software Bill of Materials (SBOM) documents of
+    third-party components in Qt are available. Information such as copyrights,
+    licenses, versions, source repositories, and other relevant information are
+    declared in SPDX 2.3 format.
+
+    \list
+        \li \l {Software Bill of Materials}
+    \endlist
+
 */

 /*!
@ -112,6 +124,12 @@
    parts that are of a different origin (so-called
    4th-party or Nth-party code), these are listed, too.

+    Starting from Qt 6.8, Software Bill of Materials (SBOM) documents of
+    third-party components in Qt are available. Information such as copyrights,
+    licenses, versions, source repositories, and other relevant information are
+    declared in SPDX 2.3 format. For more information, visit the
+    \l {Software Bill of Materials} page.
+
    \div {class="fixed"}
    \generatelist annotatedattributions

--- a/doc/src/legal/sbom-overview.qdoc
+++ b/doc/src/legal/sbom-overview.qdoc
@ -0,0 +1,175 @@
+// Copyright (C) 2024 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GFDL-1.3-no-invariants-only
+
+/*!
+\page sbom.html
+\title Software Bill of Materials
+\brief Qt package information in SPDX format
+\ingroup licensing
+
+A Software Bill of Materials (SBOM) document is a declaration of installed
+files, copyrights, licenses, versions, source repositories, and other relevant
+information about a Qt installation. The SBOM documents facilitate supply chain
+management by sharing component information to Qt users and other interested
+parties. Qt's SBOM documents are especially useful for license compliance and
+security vulnerability management.
+
+Starting from Qt 6.8, Qt's build system can generate SBOM documents tailored
+for different platforms and build configurations.
+The \l{Using Qt Online Installer}{Qt Online Installer} places the SBOM
+documents in an \c{sbom} directory located in the installation directory of the
+respective Qt version.
+For example, for the Qt \QtVersion Android arm64-v8a installation, the SBOM
+documents are at:
+\badcode \QtVersion
+<INSTALL_DIR>/\1/android_arm64_v8a/sbom/
+\endcode
+
+To generate SBOM documents from the Qt sources yourself, set \c -sbom as a
+\l{Qt Configure Options}{configure} option.
+
+For example, during the configure step:
+\badcode
+./configure  -sbom
+\endcode
+Generation of SBOM documents then becomes a part of the regular Qt installation:
+\badcode
+ninja install
+cmake --install .
+\endcode
+
+In Qt 6.8, this build process creates SBOM documents in JSON and \c{tag:value}
+format as specified by the \l{SPDX Format}{SPDX} format.
+
+See \l{Building Qt Sources} and \l{Qt Configure Options} for more information
+about the Qt build procedure.
+
+For Qt developers and maintainers, the \l{https://wiki.qt.io/SBOM}{SBOM Wiki}
+has specific information for creating SBOM documents.
+
+\section1 SPDX Format
+
+The SBOM documents are in \l{https://spdx.github.io/spdx-spec/v2.3}{SPDX 2.3}
+format. A document begins with information about the Qt module. SPDX packages
+follow as separate entries.
+
+For a Qt installation, an SPDX package may be a:
+\list
+\li \l{All Modules}{Qt module}
+\li Qt plugin - for example, \l{Supported Platforms}{platform} plugins
+\li Qt tool - for example, \l{Using the Meta-Object Compiler (moc)}{moc}
+\li Qt application - for example, \l{Qt Designer}
+\li Third-party component - see \l{Third-Party Code Used in Qt}
+\li System library dependency - \l{Qt Configure Options}
+\endlist
+
+An SPDX package typically contains at least:
+
+\list
+\li Package name, version, supplier name, and build information
+\li Qt License Attribution - a Qt product may be under different commercial or
+    open source licenses. For example, a package may list several concluded
+    licenses:
+    \badcode
+    LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+    \endcode
+    The \l{Qt Licensing} has more information about licensing options.
+\li Copyright notices - SBOM documents include Qt source copyrights and
+    copyrights from third-party sources or authors.
+\li CPE (Common Platform Enumeration) - a naming scheme for package
+    identification. For Qt, the SBOM CPE format is typically:
+    \badcode
+    cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
+    \endcode
+
+    An example identifier for a \l{Qt Network Authorization} package is:
+    \badcode
+    cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
+    \endcode
+    For more information, see
+    \l{https://cpe.mitre.org/specification/}{CPE Specification} page.
+\li PURL (Package URL) - an alternative to CPE, PURL is an identifier scheme
+    that uses the following format:
+    \badcode
+    scheme:type/namespace/name@version?qualifiers#subpath
+    \endcode
+
+    An example PURL for a package is:
+    \badcode
+    pkg:generic/TheQtCompany/qtnetworkauth@6.8.0
+    \endcode
+    For more information,
+    \l{https://github.com/package-url/purl-spec}{Package URL} page.
+\li Package relationships between packages such as dependencies.
+
+    For example, the \c DEPENDS_ON for listing a dependency relationship.
+    Refer to Clause 11 of the
+    \l{https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/}{SPDX 2.3}
+     for a list of valid
+    relationship types.
+
+\endlist
+
+\section1 Third-party SPDX Packages
+
+An SPDX package for a third-party component typically contains at least:
+
+\list
+\li Name, version, and description
+\li Homepage and download location
+\li Usage in Qt
+\li License and copyright information
+\li Whether the component is security critical - the code may process untrusted
+code
+\endlist
+
+\section1 SBOM Example
+
+The following is an example of an SBOM document for the
+\l{Qt Network Authorization} module. The SBOM filename is
+\c qtnetworkauth-6.8.0.spdx and is in the installation's \c sbom directory.
+Note that the SBOM document contains several other packages not listed in the
+following example.
+
+\code
+SPDXVersion: SPDX-2.3
+DataLicense: CC0-1.0
+SPDXID: SPDXRef-DOCUMENT
+DocumentName: qtnetworkauth-6.8.0
+DocumentNamespace: https://qt.io/spdxdocs/qtnetworkauth-6.8.0
+Creator: Organization: TheQtCompany
+Creator: Tool: Qt Build System
+CreatorComment: <text>This SPDX document was created from CMake 3.27.7, using the qt
+build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text>
+Created: 2024-09-19T11:07:23Z
+ExternalDocumentRef: DocumentRef-qtbase https://qt.io/spdxdocs/qtbase-6.8.0 SHA1: 3dbc51259a07d458524a976da2e9607a76fab7e7
+
+PackageName: NetworkAuth
+SPDXID: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth
+PackageDownloadLocation: git://code.qt.io/qt/qtnetworkauth.git
+PackageVersion: 6.8.0
+PackageSupplier: Organization: TheQtCompany
+PackageLicenseConcluded: LicenseRef-Qt-Commercial OR GPL-3.0-only
+PackageLicenseDeclared: LicenseRef-Qt-Commercial OR GPL-3.0-only
+ExternalRef: PACKAGE-MANAGER purl pkg:github/qt/qtnetworkauth?library_name=NetworkAuth#src/oauth
+ExternalRef: PACKAGE-MANAGER purl pkg:generic/TheQtCompany/qtnetworkauth-NetworkAuth?vcs_url=https://code.qt.io/qt/qtnetworkauth.git&library_name=NetworkAuth#src/oauth
+FilesAnalyzed: true
+PackageCopyrightText: <text>Copyright (C) 2024 The Qt Company Ltd.</text>
+PrimaryPackagePurpose: LIBRARY
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
+ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qt:6.8.0:*:*:*:*:*:*:*
+Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Core
+Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-PlatformModuleInternal
+Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Gui
+Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Network
+Relationship: SPDXRef-Package-qtnetworkauth CONTAINS SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth
+\endcode
+
+\section1 Related Topics
+
+\list
+\li \l{https://spdx.github.io/spdx-spec/v2.3/}{SPDX 2.3}
+\li \l{https://wiki.qt.io/SBOM}{Qt Wiki - SBOM} - generating SBOM documents from Qt sources
+\li \l{Third-Party Code Used in Qt}
+\endlist
+*/
--- a/doc/src/qtdoc-toc.qdoc
+++ b/doc/src/qtdoc-toc.qdoc
@ -222,6 +222,7 @@
            \li \l {Mesa llvmpipe}
            \li \l {LLVM Attribution}
            \li \l {License Changes}
+            \li \l {Software Bill of Materials}
            \li \l {Trademarks}
        \endlist
    \li \l {Qt Reference Pages}{Reference}