SBOM: Difference between revisions
(→Bundled / vendored 3rd party sources: add ref to QUIP-7) |
|||
(14 intermediate revisions by 5 users not shown) | |||
Line 37: | Line 37: | ||
The general structure of a SPDX document is the following: | The general structure of a SPDX document is the following: | ||
* | * the document contains document metadata and packages | ||
* a package contains package metadata and files | * a package contains package metadata and files | ||
* a file contains file metadata | * a file contains file metadata | ||
Line 43: | Line 43: | ||
* a package can depend on another package either in the current document or in a referenced external document | * a package can depend on another package either in the current document or in a referenced external document | ||
* a file can have various kind of relationships to other files | * a file can have various kind of relationships to other files | ||
* a package / file can contain comments | |||
* the document contains custom license information that is not built into SPDX (e.g. our Qt commercial licenses) | |||
In Qt's build system, we have multiple 'entity' types that map to a SPDX package: | In Qt's build system, we have multiple 'entity' types that map to a SPDX package: | ||
* qt module (Gui) | * qt module (Gui) | ||
* qt plugin (platform plugin) | * qt plugin (any platform plugin) | ||
* qt tool (moc) | * qt tool (moc) | ||
* qt app (Designer) | * qt app (Designer) | ||
* 3rd party bundled code ( | * 3rd party bundled code (pcre2, zlib) | ||
* system library dependencies (openssl) | * system library dependencies (openssl) | ||
Each of these can then have zero or more SPDX file references. | Each of these can then have zero or more SPDX file references. | ||
In a -debug-and-release build there would be | In a ''-debug-and-release'' build there would be SBOM mentions for both ''libQt6Gui.dll'' and ''libQt6Guid.dll'' files. | ||
For system libraries, there are no file references, because a SPDX document can only refer to an installed file. | For system libraries, there are no file references, because a SPDX document can only refer to an installed file. | ||
Because system libraries are usually looked up each time a project is configured, the path would always be different, so we can't record such file metadata. | Because system libraries are usually looked up each time a project is configured, the path would always be different, so we can't record such file metadata in the SBOM. | ||
Almost all SPDX packages are backed by a cmake target. | Almost all SPDX packages are backed by a cmake target. | ||
Relationships between packages are computed based on link dependencies between cmake targets. Currently we don't distinguish between private and public linkage for | |||
SPDX relationship purposes. Any linkage done via generator expressions (genexes) will be ignored, and will have to be handled by specifying a manual sbom dependency. | |||
The document also has to contain any custom license information for packages that uses those licenses. | |||
== For Maintainers == | == For Maintainers == | ||
Line 66: | Line 73: | ||
As a Qt maintainer, there are a few things you should know and take care of. | As a Qt maintainer, there are a few things you should know and take care of. | ||
=== Qt Licensing === | === Qt Module Licensing === | ||
The licensing of the qt modules, plugins, tools, apps. | The licensing of the qt modules, plugins, tools, apps is explained in [https://contribute.qt-project.org/quips/18 QUIP-18]. | ||
The default license of | The default license of Qt modules is ''LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only''. Some add-ons are licensed with: ''LicenseRef-Qt-Commercial OR GPL-3.0-only.'' | ||
And for tools and apps it is usually ''LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0'' | And for tools and apps it is usually ''LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0'' | ||
Line 80: | Line 87: | ||
qt_internal_add_module(WebEngine | qt_internal_add_module(WebEngine | ||
... | ... | ||
QT_LICENSE_ID | QT_LICENSE_ID QT_COMMERCIAL_OR_LGPL3 | ||
) | ) | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 87: | Line 94: | ||
To do it per subdirectory or repo, set the ''QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES'' and ''QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES'' variables to one of the values that the implementation of ''_qt_internal_sbom_get_spdx_license_expression'' understands. | To do it per subdirectory or repo, set the ''QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES'' and ''QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES'' variables to one of the values that the implementation of ''_qt_internal_sbom_get_spdx_license_expression'' understands. | ||
<syntaxhighlight lang="cmake"> | |||
# inside src/CMakeLists.txt | |||
set(QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES "QT_COMMERCIAL_OR_GPL3") | |||
set(QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES "QT_COMMERCIAL_OR_GPL3") | |||
</syntaxhighlight> | |||
Example: https://codereview.qt-project.org/c/qt/qtquick3dphysics/+/569239 | Example: https://codereview.qt-project.org/c/qt/qtquick3dphysics/+/569239 | ||
Line 94: | Line 107: | ||
Qt uses various 3rd party sources that are usually located in ''src/3rdparty'', but sometimes they are part of module sources. | Qt uses various 3rd party sources that are usually located in ''src/3rdparty'', but sometimes they are part of module sources. | ||
We need to make sure the SBOM generation process knows about them for compliance reasons. | We '''need''' to make sure the SBOM generation process knows about them for compliance reasons. | ||
The easiest way to annotate these is with one or more ''qt_attribution.json'' files. | The easiest way to annotate these is with one or more ''qt_attribution.json'' files. Their format is described in [https://contribute.qt-project.org/quips/7 QUIP-7]. | ||
For 3rd party libraries created with ''qt_internal_add_3rdparty_library'', as long as the ''CMakeLists.txt'' is next to the ''qt_attribution.json'' file, you don't need to do anything. | For 3rd party libraries created with ''qt_internal_add_3rdparty_library'', as long as the ''CMakeLists.txt'' is next to the ''qt_attribution.json'' file, you don't need to do anything. | ||
In case if the attribution file is in a different location, make sure to specify all relevant attribution files via the ''ATTRIBUTION_FILE_DIR_PATHS'' option to ''qt_internal_add_module / plugin / tool / extend_target'' . | In case if the attribution file is in a different location, make sure to specify all relevant attribution files via the ''ATTRIBUTION_FILE_DIR_PATHS'' option to ''qt_internal_add_module / plugin / tool / extend_target''. | ||
<syntaxhighlight lang="cmake"> | <syntaxhighlight lang="cmake"> | ||
# Sample 1 | |||
qt_internal_add_module(Core | qt_internal_add_module(Core | ||
ATTRIBUTION_FILE_DIR_PATHS | ATTRIBUTION_FILE_DIR_PATHS | ||
Line 116: | Line 130: | ||
) | ) | ||
# Sample 2 | |||
qt_internal_extend_target(Network CONDITION NOT QT_FEATURE_system_zlib | qt_internal_extend_target(Network CONDITION NOT QT_FEATURE_system_zlib | ||
INCLUDE_DIRECTORIES | INCLUDE_DIRECTORIES | ||
Line 124: | Line 139: | ||
) | ) | ||
# Sample 3 | |||
qt_internal_add_3rdparty_library(BundledPcre2 | qt_internal_add_3rdparty_library(BundledPcre2 | ||
ATTRIBUTION_FILE_DIR_PATHS | ATTRIBUTION_FILE_DIR_PATHS | ||
Line 135: | Line 151: | ||
* https://codereview.qt-project.org/c/qt/qtmultimedia/+/562057 | * https://codereview.qt-project.org/c/qt/qtmultimedia/+/562057 | ||
Make sure that the ''qt_attribution.json'' files contain information like version, license, copyrights, download url. | |||
you can | |||
If some information needs to be recorded for a target without a ''qt_attribution.json'' file, and for whatever reason creating one is not desired, | |||
you can add SBOM-related options to ''qt_internal_add_module / plugin / tool / extend_target''. | |||
The full list can be found in the implementation of the ''_qt_internal_get_sbom_add_target_common_options'' command. | |||
Sample reference: | |||
<syntaxhighlight lang="cmake"> | <syntaxhighlight lang="cmake"> | ||
Line 155: | Line 175: | ||
# single value options | # single value options | ||
PACKAGE_VERSION "1.2.4" | PACKAGE_VERSION "1.2.4" | ||
FRIENDLY_PACKAGE_NAME " | FRIENDLY_PACKAGE_NAME "FancierZlib" | ||
CPE_VENDOR "zlib" | CPE_VENDOR "zlib" | ||
CPE_PRODUCT "zlib" | CPE_PRODUCT "zlib" | ||
LICENSE_EXPRESSION MIT OR BSD-3-Clause | LICENSE_EXPRESSION "MIT OR BSD-3-Clause" | ||
QT_LICENSE_ID QT_COMMERCIAL_OR_BSD3 | QT_LICENSE_ID "QT_COMMERCIAL_OR_BSD3" | ||
DOWNLOAD_LOCATION "https://github.com/madler/zlib" | DOWNLOAD_LOCATION "https://github.com/madler/zlib" | ||
ATTRIBUTION_ENTRY_INDEX 5 | ATTRIBUTION_ENTRY_INDEX "5" | ||
# multi value options | # multi value options | ||
Line 170: | Line 190: | ||
"cpe:2.3:o:arm:arm:-:*:*:*:*:*:*:*" | "cpe:2.3:o:arm:arm:-:*:*:*:*:*:*:*" | ||
"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*" | "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*" | ||
SBOM_DEPENDENCIES | SBOM_DEPENDENCIES # extra sbom dependencies | ||
Qt6::Core | Qt6::Core | ||
Qt6::Gui | Qt6::Gui | ||
Line 184: | Line 204: | ||
More examples of changes with SBOM annotations can be found at https://codereview.qt-project.org/q/topic:%22sbom%22 | More examples of changes with SBOM annotations can be found at https://codereview.qt-project.org/q/topic:%22sbom%22 | ||
=== CPE and PURL values in qt_attribution.json files === | |||
For easier tracking of 3rd party library vulnerabilities, it is helpful to add and keep up-to-date CPE and PURL values to qt_attribution.json files. | |||
After the values are added, and new the packages sources are updated, make sure to keep the version strings across the whole file up-to-date. | |||
Sample attribution.json file snippets: | |||
<syntaxhighlight lang="json"> | |||
{ | |||
"PURL": "pkg:github/madler/zlib@v1.3.1", | |||
"CPE": "cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:*", | |||
} | |||
{ | |||
"PURL": "pkg:github/pnggroup/libpng@v1.6.43", | |||
"CPE": "cpe:2.3:a:libpng:libpng:1.6.43:*:*:*:*:*:*:*", | |||
} | |||
{ | |||
"PURL": "pkg:generic/xcb-xinput?download_url=http://xcb.freedesktop.org/", | |||
"Comment": "no relevant CPE found" | |||
} | |||
{ | |||
"PackageComment": "Upstream http://www.pointing.com/Wintab.html no longer offers updates; treat as final, no relevant CPE and PURL found", | |||
} | |||
</syntaxhighlight> | |||
You can look at qt_attribution.json files in qtbase for further inspiration. | |||
More details below. | |||
=== CPE === | |||
CPE stands for "Common Platform Enumeration". It is an identifier that helps identifying a particular version of a package. | |||
The general format is as follows: | |||
<syntaxhighlight> | |||
cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other> | |||
</syntaxhighlight> | |||
A sample value: | |||
<syntaxhighlight> | |||
cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:* | |||
</syntaxhighlight> | |||
In a qt_attribution.json file, it should be added to the multi-value CPE key. | |||
<syntaxhighlight lang="json"> | |||
{ "..." , "CPE": ["cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:*"], "..." } | |||
</syntaxhighlight> | |||
To find a relevant CPE for a particular package, use https://nvd.nist.gov/products/cpe/search | |||
Not all packages have CPEs. In that case, you can add a "no relevant CPE found" comment to the qt_attribution.json file. | |||
=== PURL === | |||
PURL is another kind of identifier. It stands for Package URL. The format is described at https://github.com/package-url/purl-spec | |||
The general format is as follows: | |||
<syntaxhighlight> | |||
scheme:type/namespace/name@version?qualifiers#subpath | |||
</syntaxhighlight> | |||
A sample value: | |||
<syntaxhighlight> | |||
pkg:github/madler/zlib@v1.3.1 | |||
</syntaxhighlight> | |||
In a qt_attribution.json file, it should be added to the multi-value PURL key. | |||
<syntaxhighlight lang="json"> | |||
{ ... , "PURL": ["pkg:github/madler/zlib@v1.3.1"], ... } | |||
</syntaxhighlight> | |||
Currently, there is no single database to look for a PURL, nor a convenient online service where you can put in a purl value and see if it exists and is valid. | |||
Some non-complete databases can be found at | |||
https://github.com/scanoss/purl2cpe | |||
https://github.com/scanoss/purl2cpe/blob/main/purl2cpe.db.zip | |||
For packages hosted or mirrored to github, it is easy to create a PURL based on the github namespace and project name. | |||
<syntaxhighlight> | |||
pkg:github/PCRE2Project/pcre2@pcre2-10.44 | |||
</syntaxhighlight> | |||
For packages not on github, consider adding a generic PURL with a download url: | |||
<syntaxhighlight> | |||
pkg:generic/iaccessible2?download_url=https://wiki.linuxfoundation.org/accessibility/iaccessible2/ | |||
</syntaxhighlight> | |||
Otherwise, you can add a "no relevant PURL found" comment to the qt_attribution.json file. | |||
=== Custom SBOM information not backed by a target === | === Custom SBOM information not backed by a target === | ||
Line 286: | Line 399: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Viewing and validating SBOM | == Viewing and validating SBOM SPDX documents == | ||
The generated SPDX documents use a ''tag:value'' system for representing their information and can be read by any text editor. | The generated SPDX documents use a ''tag:value'' system for representing their information and can be read by any text editor. | ||
Line 296: | Line 409: | ||
The qt build system can automatically use them to show the document content after generation and do appropriate validation. | The qt build system can automatically use them to show the document content after generation and do appropriate validation. | ||
Make sure you have Python '''3.9+''' installed and install the following python packages: | Make sure you have Python '''3.9+''' installed and install the following python packages either into the system python or using a virtual environment: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
$ | $ python3 -m venv path/to/env | ||
$ path/to/env/activate | |||
$ pip3 install spdx-tools ntia-conformance-checker sbomaudit sbom2doc | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Make sure everything is in ''PATH'', by running ''sbom2doc --help'' and checking that it is found. | |||
Then, configure qt or a qt repo using: | Then, configure qt or a qt repo using: | ||
Line 314: | Line 431: | ||
The build system will check if all dependencies are present and show an error if not. | The build system will check if all dependencies are present and show an error if not. | ||
Now, after finishing SBOM generation, the build system will do the following: | |||
* | * generates an equivalent json representation of the SPDX file (fails installation if invalid content is found) | ||
* | * runs the NTIA compliance checker (fails the installation if check fails) | ||
* | * runs ''sbom2doc'' to show the document contents | ||
* | * runs ''sbomaudit'' for some additional checks (doesn't fail installation unlike the other steps) | ||
Here is some sample output for ''qtimageformats'' and ''qtbase'': | Here is some sample output for ''qtimageformats'' and ''qtbase'': |
Latest revision as of 07:41, 15 November 2024
Qt Software Bill of Materials (SBOM)
Starting with Qt 6.8, when building Qt, the build system can generate and install an SBOM in the SPDX 2.3 format.
A SPDX SBOM document contains the following kinds of information: installed file checksums, copyrights, licenses, dependency versions, urls, git commits, etc. More details can be found at Composition of an SPDX document
Each built repository (qtbase, qtsvg) will install a separate SPDX document, e.g. $qt_prefix/sbom/qtbase-6.8.0.spdx, qsvg-6.8.0.spdx, etc.
To generate and install an SBOM, pass -sbom to configure.
The argument needs to be passed to each configured repository separately, so the setting is not sticky like -sanitize or other similar options.
$ ../qtbase-source-dir/configure -prefix /opt/qt6 -sbom
# or
$ /opt/qt6/bin/qt-configure-module ../qtsvg -sbom
# or
$ cmake path/to/qt/repo -DQT_GENERATE_SBOM=ON
The sbom files will then be generated and installed during regular installation, but can also be explicitly installed by specifying a cmake installation component.
$ ninja install
# or
$ cmake --install . --component sbom
# -- Starting SBOM generation in build dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/qtsvg/qt_sbom/staging-qtsvg.spdx.in
# -- Finalizing SBOM generation in install dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtsvg-6.9.0.spdx
Note that because the document contains checksums of installed files, all files need to be installed first to generate a valid document.
Mapping of SPDX concepts to CMake
The general structure of a SPDX document is the following:
- the document contains document metadata and packages
- a package contains package metadata and files
- a file contains file metadata
- a package can have various kinds of relationships to other packages
- a package can depend on another package either in the current document or in a referenced external document
- a file can have various kind of relationships to other files
- a package / file can contain comments
- the document contains custom license information that is not built into SPDX (e.g. our Qt commercial licenses)
In Qt's build system, we have multiple 'entity' types that map to a SPDX package:
- qt module (Gui)
- qt plugin (any platform plugin)
- qt tool (moc)
- qt app (Designer)
- 3rd party bundled code (pcre2, zlib)
- system library dependencies (openssl)
Each of these can then have zero or more SPDX file references.
In a -debug-and-release build there would be SBOM mentions for both libQt6Gui.dll and libQt6Guid.dll files.
For system libraries, there are no file references, because a SPDX document can only refer to an installed file.
Because system libraries are usually looked up each time a project is configured, the path would always be different, so we can't record such file metadata in the SBOM.
Almost all SPDX packages are backed by a cmake target.
Relationships between packages are computed based on link dependencies between cmake targets. Currently we don't distinguish between private and public linkage for SPDX relationship purposes. Any linkage done via generator expressions (genexes) will be ignored, and will have to be handled by specifying a manual sbom dependency.
The document also has to contain any custom license information for packages that uses those licenses.
For Maintainers
As a Qt maintainer, there are a few things you should know and take care of.
Qt Module Licensing
The licensing of the qt modules, plugins, tools, apps is explained in QUIP-18.
The default license of Qt modules is LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only. Some add-ons are licensed with: LicenseRef-Qt-Commercial OR GPL-3.0-only. And for tools and apps it is usually LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
If that is not the case for the repo you are maintaining, make sure to explicitly specify a different license either per target, or per subdirectory, or per repo.
To do it per target, specify the QT_LICENSE_ID option to qt_internal_add_module / plugin / tool / extend_target with a value that the implementation of _qt_internal_sbom_get_spdx_license_expression understands.
qt_internal_add_module(WebEngine
...
QT_LICENSE_ID QT_COMMERCIAL_OR_LGPL3
)
To do it per subdirectory or repo, set the QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES and QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES variables to one of the values that the implementation of _qt_internal_sbom_get_spdx_license_expression understands.
# inside src/CMakeLists.txt
set(QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES "QT_COMMERCIAL_OR_GPL3")
set(QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES "QT_COMMERCIAL_OR_GPL3")
Example: https://codereview.qt-project.org/c/qt/qtquick3dphysics/+/569239
Bundled / vendored 3rd party sources
Qt uses various 3rd party sources that are usually located in src/3rdparty, but sometimes they are part of module sources.
We need to make sure the SBOM generation process knows about them for compliance reasons.
The easiest way to annotate these is with one or more qt_attribution.json files. Their format is described in QUIP-7.
For 3rd party libraries created with qt_internal_add_3rdparty_library, as long as the CMakeLists.txt is next to the qt_attribution.json file, you don't need to do anything.
In case if the attribution file is in a different location, make sure to specify all relevant attribution files via the ATTRIBUTION_FILE_DIR_PATHS option to qt_internal_add_module / plugin / tool / extend_target.
# Sample 1
qt_internal_add_module(Core
ATTRIBUTION_FILE_DIR_PATHS
text
tools
../3rdparty/blake2
../3rdparty/md4
../3rdparty/md5
../3rdparty/sha1
../3rdparty/sha3
../3rdparty/rfc6234
../3rdparty/tinycbor
)
# Sample 2
qt_internal_extend_target(Network CONDITION NOT QT_FEATURE_system_zlib
INCLUDE_DIRECTORIES
../3rdparty/zlib/src
ATTRIBUTION_FILE_DIR_PATHS
../3rdparty/zlib
../3rdparty/some-random-ssl-lib
)
# Sample 3
qt_internal_add_3rdparty_library(BundledPcre2
ATTRIBUTION_FILE_DIR_PATHS
../3rdparty/pcre
)
Various examples:
- https://codereview.qt-project.org/c/qt/qtbase/+/564427
- https://codereview.qt-project.org/c/qt/qtwayland/+/569252
- https://codereview.qt-project.org/c/qt/qtmultimedia/+/562057
Make sure that the qt_attribution.json files contain information like version, license, copyrights, download url.
If some information needs to be recorded for a target without a qt_attribution.json file, and for whatever reason creating one is not desired, you can add SBOM-related options to qt_internal_add_module / plugin / tool / extend_target.
The full list can be found in the implementation of the _qt_internal_get_sbom_add_target_common_options command.
Sample reference:
qt_internal_extend_target(BundledZlib CONDITION NOT QT_FEATURE_system_zlib
# flags
NO_CURRENT_DIR_ATTRIBUTION
NO_ATTRIBUTION_LICENSE_ID
NO_DEFAULT_QT_LICENSE
NO_DEFAULT_QT_LICENSE_ID_LIBRARIES
NO_DEFAULT_QT_LICENSE_ID_EXECUTABLES
NO_DEFAULT_DIRECTORY_QT_LICENSE
NO_DEFAULT_QT_COPYRIGHTS
NO_DEFAULT_QT_PACKAGE_VERSION
NO_DEFAULT_QT_SUPPLIER
# single value options
PACKAGE_VERSION "1.2.4"
FRIENDLY_PACKAGE_NAME "FancierZlib"
CPE_VENDOR "zlib"
CPE_PRODUCT "zlib"
LICENSE_EXPRESSION "MIT OR BSD-3-Clause"
QT_LICENSE_ID "QT_COMMERCIAL_OR_BSD3"
DOWNLOAD_LOCATION "https://github.com/madler/zlib"
ATTRIBUTION_ENTRY_INDEX "5"
# multi value options
COPYRIGHTS
"Copyright company 1"
"Copyright company 1"
CPE
"cpe:2.3:o:arm:arm:-:*:*:*:*:*:*:*"
"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"
SBOM_DEPENDENCIES # extra sbom dependencies
Qt6::Core
Qt6::Gui
WrapOpenSSL::WrapOpenSSL
ATTRIBUTION_FILE_PATHS
../3rdparty/zlib1/qt_attribution.json
../3rdparty/zlib2/qt_attribution.json
ATTRIBUTION_FILE_DIR_PATHS
../3rdparty/zlib3
../3rdparty/zlib4
)
More examples of changes with SBOM annotations can be found at https://codereview.qt-project.org/q/topic:%22sbom%22
CPE and PURL values in qt_attribution.json files
For easier tracking of 3rd party library vulnerabilities, it is helpful to add and keep up-to-date CPE and PURL values to qt_attribution.json files.
After the values are added, and new the packages sources are updated, make sure to keep the version strings across the whole file up-to-date.
Sample attribution.json file snippets:
{
"PURL": "pkg:github/madler/zlib@v1.3.1",
"CPE": "cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:*",
}
{
"PURL": "pkg:github/pnggroup/libpng@v1.6.43",
"CPE": "cpe:2.3:a:libpng:libpng:1.6.43:*:*:*:*:*:*:*",
}
{
"PURL": "pkg:generic/xcb-xinput?download_url=http://xcb.freedesktop.org/",
"Comment": "no relevant CPE found"
}
{
"PackageComment": "Upstream http://www.pointing.com/Wintab.html no longer offers updates; treat as final, no relevant CPE and PURL found",
}
You can look at qt_attribution.json files in qtbase for further inspiration.
More details below.
CPE
CPE stands for "Common Platform Enumeration". It is an identifier that helps identifying a particular version of a package.
The general format is as follows:
cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
A sample value:
cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:*
In a qt_attribution.json file, it should be added to the multi-value CPE key.
{ "..." , "CPE": ["cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:*"], "..." }
To find a relevant CPE for a particular package, use https://nvd.nist.gov/products/cpe/search
Not all packages have CPEs. In that case, you can add a "no relevant CPE found" comment to the qt_attribution.json file.
PURL
PURL is another kind of identifier. It stands for Package URL. The format is described at https://github.com/package-url/purl-spec
The general format is as follows:
scheme:type/namespace/name@version?qualifiers#subpath
A sample value:
pkg:github/madler/zlib@v1.3.1
In a qt_attribution.json file, it should be added to the multi-value PURL key.
{ ... , "PURL": ["pkg:github/madler/zlib@v1.3.1"], ... }
Currently, there is no single database to look for a PURL, nor a convenient online service where you can put in a purl value and see if it exists and is valid.
Some non-complete databases can be found at https://github.com/scanoss/purl2cpe https://github.com/scanoss/purl2cpe/blob/main/purl2cpe.db.zip
For packages hosted or mirrored to github, it is easy to create a PURL based on the github namespace and project name.
pkg:github/PCRE2Project/pcre2@pcre2-10.44
For packages not on github, consider adding a generic PURL with a download url:
pkg:generic/iaccessible2?download_url=https://wiki.linuxfoundation.org/accessibility/iaccessible2/
Otherwise, you can add a "no relevant PURL found" comment to the qt_attribution.json file.
Custom SBOM information not backed by a target
In case you need to add some custom SBOM information to the document, which is not backed by any cmake target, or is a cmake target not created by one of the regular qt_internal_add_foo commands, you can use one of the following APIs:
add_library(QtLibraryInfo)
qt_internal_add_sbom(QtLibraryInfo
TYPE QT_MODULE
NO_INSTALL
)
qt_internal_extend_sbom(QtLibraryInfo
CPE_VENDOR "qtlibraryinfo"
CPE_PRODUCT "qtlibraryinfo"
DOWNLOAD_LOCATION "https://code.qt.io/qt/qtbase"
)
add_library(MyCustomLib)
qt_internal_add_sbom(MyCustomLib
TYPE LIBRARY
DOWNLOAD_LOCATION "https://github.com/foo/bar"
SBOM_DEPENDENCIES
QtLibraryInfo
)
qt_internal_add_sbom(MyCustomPackage
TYPE THIRD_PARTY_LIBRARY
DOWNLOAD_LOCATION "https://github.com/foo/bar2"
SBOM_DEPENDENCIES
QtLibraryInfo
MyCustomLib
)
- qt_internal_add_sbom allows adding sbom information for an arbitrary existing target, or creates a custom INTERFACE IMPORTED target when none exists
- qt_internal_extend_sbom can be used to extend the sbom information. It expects an existing target.
The TYPE specified to qt_internal_add_sbom and qt_internal_extend_sbom can be one of the following:
- QT_MODULE
- QT_PLUGIN
- QML_PLUGIN
- QT_TOOL
- QT_APP
- QT_THIRD_PARTY_MODULE
- QT_THIRD_PARTY_SOURCES
- SYSTEM_LIBRARY
- EXECUTABLE
- LIBRARY
- THIRD_PARTY_LIBRARY
- THIRD_PARTY_LIBRARY_WITH_FILES
When calling functions like qt_internal_add_module the SBOM is automatically created with a QT_MODULE TYPE. Same for qt_internal_add_plugin, etc.
SBOM information for system libraries
Ideally system libraries would also be annotated with various information like copyrights and licenses, but we don't have qt_attribution.json files for them, because they are looked up using Find scripts like FindOpenSSL.cmake and we don't provide attribution for those or what they point to.
So currently we don't generally annotate these.
But it is possible to do so manually using qt_find_package_extend_sbom. See the following snippets:
qt_find_package(GLIB2 PROVIDED_TARGETS GLIB2::GLIB2 MODULE_NAME core QMAKE_LIB glib)
qt_find_package_extend_sbom(TARGETS GLIB2::GLIB2
LICENSE_EXPRESSION "LGPL-2.1-or-later"
CPE_VENDOR "glib"
CPE_PRODUCT "glib2"
DOWNLOAD_LOCATION "https://docs.gtk.org/glib/"
)
qt_find_package(Libb2 PROVIDED_TARGETS Libb2::Libb2 MODULE_NAME core QMAKE_LIB libb2)
qt_find_package_extend_sbom(TARGETS Libb2::Libb2
LICENSE_EXPRESSION "CC0-1.0"
)
We use qt_find_package_extend_sbom' instead of 'qt_internal_extend_sbom' because the latter always expects the target to exist, but find_package() calls might fail if the library is not installed on the system, and cause an error when trying to annotate a target that doesn't exist.
qt_find_package_extend_sbom allows the target not to exist, in which case it is a no-op. It can also take a list of targets, in case the package provides multiple ones.
In case if there is a relevant attribution file that can be used for the find script, like in the case of qtmultimedia, one can do the following:
qt_find_package(FFmpeg OPTIONAL_COMPONENTS AVCODEC AVFORMAT AVUTIL SWRESAMPLE SWSCALE PROVIDED_TARGETS FFmpeg::avcodec FFmpeg::avformat FFmpeg::avutil FFmpeg::swresample FFmpeg::swscale MODULE_NAME multimedia QMAKE_LIB ffmpeg)
qt_find_package_extend_sbom(
TARGETS
FFmpeg::avcodec
FFmpeg::avformat
FFmpeg::avutil
FFmpeg::swresample
FFmpeg::swscale
ATTRIBUTION_FILE_DIR_PATHS
../3rdparty/ffmpeg
)
Viewing and validating SBOM SPDX documents
The generated SPDX documents use a tag:value system for representing their information and can be read by any text editor.
But a document might contain a lot of information, and it's hard to check whether there are any issues or anything is missing.
There are third party python packages that can help visualize and validate the documents.
The qt build system can automatically use them to show the document content after generation and do appropriate validation.
Make sure you have Python 3.9+ installed and install the following python packages either into the system python or using a virtual environment:
$ python3 -m venv path/to/env
$ path/to/env/activate
$ pip3 install spdx-tools ntia-conformance-checker sbomaudit sbom2doc
Make sure everything is in PATH, by running sbom2doc --help and checking that it is found.
Then, configure qt or a qt repo using:
$ ../qtbase-source-dir/configure -prefix /opt/qt6 -sbom -- -DQT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK=ON -DQT_INTERNAL_SBOM_DEFAULT_CHECKS=ON -DQT_INTERNAL_SBOM_AUDIT_NO_ERROR=ON
# or
$ /opt/qt6/bin/qt-configure-module ../qtsvg -sbom -- -DQT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK=ON -DQT_INTERNAL_SBOM_DEFAULT_CHECKS=ON -DQT_INTERNAL_SBOM_AUDIT_NO_ERROR=ON
# or
$ cmake path/to/qt/repo -DQT_GENERATE_SBOM=ON -DQT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK=ON -DQT_INTERNAL_SBOM_DEFAULT_CHECKS=ON -DQT_INTERNAL_SBOM_AUDIT_NO_ERROR=ON
The build system will check if all dependencies are present and show an error if not.
Now, after finishing SBOM generation, the build system will do the following:
- generates an equivalent json representation of the SPDX file (fails installation if invalid content is found)
- runs the NTIA compliance checker (fails the installation if check fails)
- runs sbom2doc to show the document contents
- runs sbomaudit for some additional checks (doesn't fail installation unlike the other steps)
Here is some sample output for qtimageformats and qtbase:
-- Starting SBOM generation in build dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/qtimageformats/qt_sbom/staging-qtimageformats.spdx.in
-- Finalizing SBOM generation in install dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx
-- Generating JSON: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx.json
-- Verifying: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx
Is this SBOM NTIA minimum element conformant? True
Individual elements | Status
-------------------------------------------------------
All component names provided? | True
All component versions provided? | True
All component identifiers provided? | True
All component suppliers provided? | True
SBOM author name provided? | True
SBOM creation timestamp provided? | True
Dependency relationships provided? | True
-- Showing main SBOM document info: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx
╭──────────────╮
│ SBOM Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Item ┃ Details ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ SBOM File │ /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx │
│ SBOM Type │ spdx │
│ Version │ SPDX-2.3 │
│ Name │ qtimageformats-6.9.0 │
│ Creator │ Organization:TheQtCompany │
│ Creator │ Tool:Qt Build System │
│ Created │ 2024-06-27T11:56:32Z │
│ Files │ 7 │
│ Packages │ 12 │
│ Relationships │ 22 │
└───────────────┴────────────────────────────────────────────────────────────────────────────────────────────────┘
╭──────────────╮
│ File Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Type ┃ License ┃ Copyright ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ ./plugins/imageformats/libqtga_debug.… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqwbmp_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqtiff_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqwebp_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqmacheif_de… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqicns_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqmacjp2_deb… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
└────────────────────────────────────────┴────────┴────────────────────────────────────────┴────────────────────────────────────────┘
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Version ┃ Type ┃ Supplier ┃ License ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ AppleClang │ 15.0.0.15000100 │ APPLICATION │ Anonymous │ NOASSERTION │
│ qtimageformats │ 983b9da+dev │ LIBRARY │ TheQtCompany │ NOASSERTION │
│ QTgaPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QWbmpPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QTiffPlugin_Attribution_libtiff │ 4.6.0 │ LIBRARY │ TheQtCompany │ libtiff │
│ QTiffPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QWebpPlugin_Attribution_libwebp │ 1.4.0 │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ QWebpPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QMacHeifPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QICNSPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QMacJp2Plugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ WrapZLIB │ 1.2.12 │ LIBRARY │ Anonymous │ NOASSERTION │
└─────────────────────────────────┴─────────────────┴─────────────┴──────────────┴──────────────────────────────────────────────────┘
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Version ┃ Ecosystem ┃ Download ┃ Copyright ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ AppleClang │ 15.0.0.15000100 │ - │ NOT KNOWN │ NOASSERTION │
│ qtimageformats │ 983b9da+dev │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QTgaPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QWbmpPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QTiffPlugin_Attribution_libtiff │ 4.6.0 │ generic │ https://download.osgeo.org/lib… │ Copyright (c) 1988-1997 Sam │
│ │ │ │ │ Leffler │
│ QTiffPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QWebpPlugin_Attribution_libwebp │ 1.4.0 │ generic │ https://storage.googleapis.com… │ Copyright (c) 2010, Google Inc. │
│ │ │ │ │ All rights reserved. │
│ QWebpPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QMacHeifPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QICNSPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QMacJp2Plugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ WrapZLIB │ 1.2.12 │ - │ NOT KNOWN │ NOASSERTION │
└─────────────────────────────────┴─────────────────┴───────────┴─────────────────────────────────┴─────────────────────────────────┘
╭────────────────────────╮
│ Component Type Summary │
╰────────────────────────╯
┏━━━━━━━━━━━━━┳━━━━━━━┓
┃ Type ┃ Count ┃
┡━━━━━━━━━━━━━╇━━━━━━━┩
│ APPLICATION │ 1 │
│ LIBRARY │ 11 │
└─────────────┴───────┘
╭─────────────────╮
│ License Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓
┃ License ┃ Count ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩
│ BSD-3-Clause │ 1 │
│ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only │ 14 │
│ NOASSERTION │ 3 │
│ libtiff │ 1 │
└───────────────────────────────────────────────────────────────────────────┴───────┘
╭──────────────────╮
│ Supplier Summary │
╰──────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━┓
┃ Supplier ┃ Count ┃
┡━━━━━━━━━━━━━━╇━━━━━━━┩
│ Anonymous │ 2 │
│ TheQtCompany │ 10 │
└──────────────┴───────┘
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ Element ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│ All file information provided? │ True │
│ All package information provided? │ True │
│ Creator identified? │ True │
│ Creation time identified? │ True │
│ Dependency relationships provided? │ True │
└────────────────────────────────────┴────────┘
NTIA conformant True
-- Starting SBOM generation in build dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/qtbase/qt_sbom/staging-qtbase.spdx.in
-- Finalizing SBOM generation in install dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtbase-6.9.0.spdx
-- Generating JSON: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtbase-6.9.0.spdx.json
-- Verifying: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtbase-6.9.0.spdx
Is this SBOM NTIA minimum element conformant? True
Individual elements | Status
-------------------------------------------------------
All component names provided? | True
All component versions provided? | True
All component identifiers provided? | True
All component suppliers provided? | True
SBOM author name provided? | True
SBOM creation timestamp provided? | True
Dependency relationships provided? | True
-- Showing main SBOM document info: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtbase-6.9.0.spdx
╭──────────────╮
│ SBOM Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Item ┃ Details ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ SBOM File │ /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtbase-6.9.0.spdx │
│ SBOM Type │ spdx │
│ Version │ SPDX-2.3 │
│ Name │ qtbase-6.9.0 │
│ Creator │ Organization:TheQtCompany │
│ Creator │ Tool:Qt Build System │
│ Created │ 2024-06-24T16:37:05Z │
│ Files │ 52 │
│ Packages │ 124 │
│ Relationships │ 384 │
└───────────────┴────────────────────────────────────────────────────────────────────────────────────────┘
╭──────────────╮
│ File Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Type ┃ License ┃ Copyright ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ ./libexec/moc │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2013 Olivier Goffart │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ <ogoffart@woboq.com> │
│ ./libexec/rcc │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./libexec/tracepointgen │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./libexec/tracegen │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./libexec/cmake_automoc_parser │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./lib/libQt6Core_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/permissions/libqdarwincamer… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/permissions/libqdarwinmicro… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/permissions/libqdarwinbluet… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/permissions/libqdarwinconta… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/permissions/libqdarwincalen… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/permissions/libqdarwinlocat… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6BundledLibpng_debug.a │ BINARY │ Libpng AND libpng-2.0 │ Copyright (c) 1995-2024 The PNG │
│ │ │ │ Reference Library Authors │
│ ./lib/libQt6BundledLibjpeg_debug.a │ BINARY │ IJG AND BSD-3-Clause │ Copyright (C) 2009-2024 D. R. │
│ │ │ │ Commander │
│ ./lib/libQt6BundledFreetype_debug.a │ BINARY │ FTL OR GPL-2.0-only │ Copyright (c) 2007-2014 Adobe Systems │
│ │ │ │ Incorporated │
│ ./lib/libQt6Concurrent_debug.6.9.0.dy… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6Sql_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6Network_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6Xml_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6DBus_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./libexec/uic │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./bin/qdbuscpp2xml │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./bin/qdbusxml2cpp │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./libexec/qlalr │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./libexec/qvkgen │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./bin/qtpaths │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./bin/androiddeployqt │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./bin/androidtestrunner │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./bin/macdeployqt │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
│ ./lib/libQt6Gui_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6ExampleIcons_debug.a │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6ExamplesAssetDownloader_d… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6OpenGL_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6Widgets_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6OpenGLWidgets_debug.6.9.0… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6DeviceDiscoverySupport_de… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6FbSupport_debug.a │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6Test_debug.6.9.0.dylib │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./lib/libQt6PrintSupport_debug.6.9.0.… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/sqldrivers/libqsqlite_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/platforms/libqminimal_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/platforms/libqoffscreen_deb… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/platforms/libqcocoa_debug.d… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqico_debug.… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqjpeg_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqgif_debug.… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/generic/libqtuiotouchplugin… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/styles/libqmacstyle_debug.d… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/networkinformation/libqscne… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/tls/libqsecuretransportback… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/tls/libqcertonlybackend_deb… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./bin/qmake │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ GPL-3.0-only WITH Qt-GPL-exception-1.0 │ │
└────────────────────────────────────────┴────────┴────────────────────────────────────────┴────────────────────────────────────────┘
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Version ┃ Type ┃ Supplier ┃ License ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ AppleClang │ 15.0.0.15000100 │ APPLICATION │ Anonymous │ NOASSERTION │
│ qtbase │ 84c2bf3fe0c+dev+dirty │ LIBRARY │ TheQtCompany │ NOASSERTION │
│ GlobalConfigPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Platform │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ PlatformCommonInternal │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ PlatformModuleInternal │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ PlatformPluginInternal │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ PlatformAppInternal │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ PlatformToolInternal │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Bootstrap_Attribution_pcre2 │ 10.44 │ LIBRARY │ TheQtCompany │ LicenseRef-BSD-3-Clause-with-PC… │
│ Bootstrap_Attribution_pcre2-sl… │ 10.44 │ LIBRARY │ TheQtCompany │ BSD-2-Clause │
│ Bootstrap │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ moc │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ rcc │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ tracepointgen │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ tracegen │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ cmake_automoc_parser │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ BundledPcre2_Attribution_pcre2… │ 10.44 │ LIBRARY │ TheQtCompany │ BSD-2-Clause │
│ BundledPcre2 │ 10.44 │ LIBRARY │ TheQtCompany │ LicenseRef-BSD-3-Clause-with-PC… │
│ Core_Attribution_unicode-chara… │ 30 │ LIBRARY │ TheQtCompany │ Unicode-DFS-2016 │
│ Core_Attribution_unicode-cldr │ v44.1 │ LIBRARY │ TheQtCompany │ Unicode-3.0 │
│ Core_Attribution_siphash │ unknown │ LIBRARY │ TheQtCompany │ CC0-1.0 │
│ Core_Attribution_blake2 │ 54f4faa4c16ea34bcd59d16e8da46a… │ LIBRARY │ TheQtCompany │ CC0-1.0 OR Apache-2.0 │
│ Core_Attribution_md4 │ unknown │ LIBRARY │ TheQtCompany │ CC0-1.0 │
│ Core_Attribution_md5 │ unknown │ LIBRARY │ TheQtCompany │ CC0-1.0 │
│ Core_Attribution_sha1 │ unknown │ LIBRARY │ TheQtCompany │ LicenseRef-SHA1-Public-Domain │
│ Core_Attribution_sha3_endian │ https://github.com/BrianGladma… │ LIBRARY │ TheQtCompany │ BSD-2-Clause │
│ │ commit │ │ │ │
│ │ 4b9e13ead2c5b5e41ca27c65de4dd6… │ │ │ │
│ Core_Attribution_sha3_keccak │ 3.2 │ LIBRARY │ TheQtCompany │ CC0-1.0 │
│ Core_Attribution_rfc6234 │ unknown │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ Core_Attribution_tinycbor │ 0.6.0 │ LIBRARY │ TheQtCompany │ MIT │
│ Core_Attribution_qeventdispatc… │ unknown │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ Core_Attribution_doubleconvers… │ 3.3.0 │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ Core_Attribution_easing │ unknown │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ Core_Attribution_forkfd │ unknown │ LIBRARY │ TheQtCompany │ MIT │
│ Core │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QDarwinCameraPermissionPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QDarwinMicrophonePermissionPlu… │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QDarwinBluetoothPermissionPlug… │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QDarwinContactsPermissionPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QDarwinCalendarPermissionPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QDarwinLocationPermissionPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ BundledLibpng │ 1.6.43 │ LIBRARY │ TheQtCompany │ Libpng AND libpng-2.0 │
│ PngPrivate_Attribution_libpng │ 1.6.43 │ LIBRARY │ TheQtCompany │ Libpng AND libpng-2.0 │
│ PngPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ BundledLibjpeg16bits │ 3.0.3 │ LIBRARY │ TheQtCompany │ IJG AND BSD-3-Clause │
│ BundledLibjpeg12bits │ 3.0.3 │ LIBRARY │ TheQtCompany │ IJG AND BSD-3-Clause │
│ BundledLibjpeg │ 3.0.3 │ LIBRARY │ TheQtCompany │ IJG AND BSD-3-Clause │
│ JpegPrivate_Attribution_libjpeg │ 3.0.3 │ LIBRARY │ TheQtCompany │ IJG AND BSD-3-Clause │
│ JpegPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ BundledFreetype_Attribution_fr… │ 2.13.2 │ LIBRARY │ TheQtCompany │ Zlib │
│ BundledFreetype_Attribution_fr… │ 2.13.2 │ LIBRARY │ TheQtCompany │ MIT │
│ BundledFreetype_Attribution_fr… │ 2.13.2 │ LIBRARY │ TheQtCompany │ MIT AND MIT-open-group │
│ BundledFreetype │ 2.13.2 │ LIBRARY │ TheQtCompany │ FTL OR GPL-2.0-only │
│ FreetypePrivate_Attribution_fr… │ 2.13.2 │ LIBRARY │ TheQtCompany │ FTL OR GPL-2.0-only │
│ FreetypePrivate_Attribution_fr… │ unknown │ LIBRARY │ TheQtCompany │ Zlib │
│ FreetypePrivate_Attribution_fr… │ unknown │ LIBRARY │ TheQtCompany │ MIT │
│ FreetypePrivate_Attribution_fr… │ unknown │ LIBRARY │ TheQtCompany │ MIT AND MIT-open-group │
│ FreetypePrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ BundledHarfbuzz │ 8.5.0 │ LIBRARY │ TheQtCompany │ MIT │
│ HarfbuzzPrivate_Attribution_ha… │ 8.5.0 │ LIBRARY │ TheQtCompany │ MIT │
│ HarfbuzzPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Concurrent │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Sql │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Network_Attribution_psl-data │ 903a83ff7bfc3148e3692e09396f9f… │ LIBRARY │ TheQtCompany │ MPL-2.0 │
│ │ fetched on 2024 │ │ │ │
│ Network_Attribution_libpsl │ 664f3dc85259ec65e30248a61fa1c4… │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ Network │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Xml │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ DBus_Attribution_libdbus-1-hea… │ dbus │ LIBRARY │ TheQtCompany │ AFL-2.1 OR GPL-2.0-or-later │
│ DBus │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ uic │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ qdbuscpp2xml │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ qdbusxml2cpp │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ qlalr │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ qvkgen │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ qtpaths │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ androiddeployqt │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ androidtestrunner │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ macdeployqt │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ Gui_Attribution_rhi-miniengine… │ 0aa79bad78992da0b6a8279ddb9002… │ LIBRARY │ TheQtCompany │ MIT │
│ Gui_Attribution_opengl-headers │ Revision 27684 │ LIBRARY │ TheQtCompany │ MIT │
│ Gui_Attribution_opengl-es2-hea… │ Revision 27673 │ LIBRARY │ TheQtCompany │ MIT │
│ Gui_Attribution_grayraster │ unknown │ LIBRARY │ TheQtCompany │ FTL OR GPL-2.0-only │
│ Gui_Attribution_smooth-scaling… │ unknown │ LIBRARY │ TheQtCompany │ BSD-2-Clause AND Imlib2 │
│ Gui_Attribution_xserverhelper │ unknown │ LIBRARY │ TheQtCompany │ X11 AND HPND │
│ Gui_Attribution_aglfn │ 1.7 │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ Gui_Attribution_VulkanMemoryAl… │ 3.1.0 │ LIBRARY │ TheQtCompany │ MIT │
│ Gui_Attribution_icc-sRGB-color… │ unknown │ LIBRARY │ TheQtCompany │ LicenseRef-ICC-License │
│ Gui_Attribution_md4c │ 0.5.2 │ LIBRARY │ TheQtCompany │ MIT │
│ Gui │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ ExampleIconsPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ ExamplesAssetDownloaderPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ OpenGL │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Widgets │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ OpenGLWidgets │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ DeviceDiscoverySupportPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ FbSupportPrivate │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ Test_Attribution_valgrind │ 3.22.0 │ LIBRARY │ TheQtCompany │ BSD-4-Clause │
│ Test_Attribution_cycle │ unknown │ LIBRARY │ TheQtCompany │ MIT │
│ Test_Attribution_linuxperf │ 3.7 │ LIBRARY │ TheQtCompany │ GPL-2.0-only WITH │
│ │ │ │ │ Linux-syscall-note │
│ Test │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ PrintSupport │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QSQLiteDriverPlugin_Attributio… │ 3.46.0 │ LIBRARY │ TheQtCompany │ blessing │
│ QSQLiteDriverPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QMinimalIntegrationPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QOffscreenIntegrationPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QCocoaIntegrationPlugin_Attrib… │ unknown │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ QCocoaIntegrationPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QICOPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QJpegPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QGifPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QTuioTouchPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QMacStylePlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QSCNetworkReachabilityNetworkI… │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QSecureTransportBackendPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QTlsBackendCertOnlyPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ QtLibraryInfo │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ LGPL-3.0-only OR GPL-2.0-only OR │
│ │ │ │ │ GPL-3.0-only │
│ qmake │ 6.9.0 │ APPLICATION │ TheQtCompany │ LicenseRef-Qt-Commercial OR │
│ │ │ │ │ GPL-3.0-only WITH │
│ │ │ │ │ Qt-GPL-exception-1.0 │
│ WrapZLIB │ 1.2.12 │ LIBRARY │ Anonymous │ NOASSERTION │
│ WrapBacktrace │ unknown │ LIBRARY │ Anonymous │ NOASSERTION │
│ WrapRt │ unknown │ LIBRARY │ Anonymous │ NOASSERTION │
│ WrapAtomic │ unknown │ LIBRARY │ Anonymous │ NOASSERTION │
│ WrapResolv │ unknown │ LIBRARY │ Anonymous │ NOASSERTION │
│ GSSAPI │ unknown │ LIBRARY │ Anonymous │ NOASSERTION │
│ Cups │ unknown │ LIBRARY │ Anonymous │ NOASSERTION │
└─────────────────────────────────┴─────────────────────────────────┴─────────────┴──────────────┴──────────────────────────────────┘
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Version ┃ Ecosystem ┃ Download ┃ Copyright ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ AppleClang │ 15.0.0.15000100 │ - │ NOT KNOWN │ NOASSERTION │
│ qtbase │ 84c2bf3fe0c+dev+dirty │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ GlobalConfigPrivate │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Platform │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ PlatformCommonInternal │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ PlatformModuleInternal │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ PlatformPluginInternal │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ PlatformAppInternal │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ PlatformToolInternal │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Bootstrap_Attribution_pcre2 │ 10.44 │ generic │ https://github.com/PCRE2Pr… │ Copyright (c) 1997-2024 │
│ │ │ │ │ University of Cambridge │
│ Bootstrap_Attribution_pcre… │ 10.44 │ generic │ https://github.com/PCRE2Pr… │ Copyright (c) 2009-2024 │
│ │ │ │ │ Zoltan Herczeg │
│ Bootstrap │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ moc │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2013 Olivier │
│ │ │ │ │ Goffart │
│ │ │ │ │ <ogoffart@woboq.com> │
│ rcc │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ tracepointgen │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ tracegen │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ cmake_automoc_parser │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ BundledPcre2_Attribution_p… │ 10.44 │ generic │ https://github.com/PCRE2Pr… │ Copyright (c) 2009-2024 │
│ │ │ │ │ Zoltan Herczeg │
│ BundledPcre2 │ 10.44 │ generic │ https://github.com/PCRE2Pr… │ Copyright (c) 1997-2024 │
│ │ │ │ │ University of Cambridge │
│ Core_Attribution_unicode-c… │ 30 │ generic │ https://www.unicode.org/uc… │ Copyright (C) 1991-2022 │
│ │ │ │ │ Unicode, Inc. │
│ Core_Attribution_unicode-c… │ v44.1 │ generic │ https://cldr.unicode.org/ │ Copyright (C) 2004-2023 │
│ │ │ │ │ Unicode, Inc. │
│ Core_Attribution_siphash │ unknown │ generic │ https://raw.githubusercont… │ (C) 2012-2014 Jean-Philippe │
│ │ │ │ │ Aumasson, (C) 2012-2014 │
│ │ │ │ │ Daniel J. Bernstein │
│ │ │ │ │ <djb@cr.yp.to> │
│ Core_Attribution_blake2 │ 54f4faa4c16ea34bcd59d16e8d… │ generic │ https://github.com/BLAKE2/… │ Copyright 2012, Samuel │
│ │ │ │ │ Neves <sneves@dei.uc.pt> │
│ Core_Attribution_md4 │ unknown │ generic │ NOT KNOWN │ Written by Alexander │
│ │ │ │ │ Peslyak - better known as │
│ │ │ │ │ Solar Designer │
│ │ │ │ │ <solar@openwall.com> - in │
│ │ │ │ │ 2001, and placed in the │
│ │ │ │ │ public domain. There's │
│ │ │ │ │ absolutely no warranty. │
│ Core_Attribution_md5 │ unknown │ generic │ NOT KNOWN │ Written by Colin Plumb in │
│ │ │ │ │ 1993, no copyright is │
│ │ │ │ │ claimed. Ian Jackson │
│ │ │ │ │ <ian@chiark.greenend.org.u… │
│ Core_Attribution_sha1 │ unknown │ generic │ http://www.dominik-reichl.… │ Copyright (C) Dominik │
│ │ │ │ │ Reichl │
│ │ │ │ │ <dominik.reichl@t-online.d… │
│ Core_Attribution_sha3_endi… │ https://github.com/BrianGl… │ generic │ NOT KNOWN │ Copyright (c) 1998-2013, │
│ │ commit │ │ │ Brian Gladman, Worcester, │
│ │ 4b9e13ead2c5b5e41ca27c65de… │ │ │ UK. All rights reserved. │
│ Core_Attribution_sha3_kecc… │ 3.2 │ generic │ NOT KNOWN │ Guido Bertoni, Joan Daemen, │
│ │ │ │ │ Michaël Peeters and Gilles │
│ │ │ │ │ Van Assche. │
│ Core_Attribution_rfc6234 │ unknown │ generic │ NOT KNOWN │ Copyright (c) 2011 IETF │
│ │ │ │ │ Trust and the persons │
│ │ │ │ │ identified as authors of │
│ │ │ │ │ the code. │
│ Core_Attribution_tinycbor │ 0.6.0 │ generic │ https://github.com/intel/t… │ Copyright (C) 2015-2021 │
│ │ │ │ │ Intel Corporation │
│ Core_Attribution_qeventdis… │ unknown │ generic │ NOT KNOWN │ Copyright (c) 2007-2008, │
│ │ │ │ │ Apple, Inc. │
│ Core_Attribution_doublecon… │ 3.3.0 │ generic │ https://github.com/google/… │ Copyright 2006-2012, the V8 │
│ │ │ │ │ project authors │
│ Core_Attribution_easing │ unknown │ generic │ http://robertpenner.com/ea… │ Copyright (c) 2001 Robert │
│ │ │ │ │ Penner │
│ Core_Attribution_forkfd │ unknown │ generic │ NOT KNOWN │ Copyright (C) 2016 Intel │
│ │ │ │ │ Corporation │
│ Core │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QDarwinCameraPermissionPlu… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QDarwinMicrophonePermissio… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QDarwinBluetoothPermission… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QDarwinContactsPermissionP… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QDarwinCalendarPermissionP… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QDarwinLocationPermissionP… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ BundledLibpng │ 1.6.43 │ generic │ https://download.sourcefor… │ Copyright (c) 1995-2024 The │
│ │ │ │ │ PNG Reference Library │
│ │ │ │ │ Authors │
│ PngPrivate_Attribution_lib… │ 1.6.43 │ generic │ https://download.sourcefor… │ Copyright (c) 1995-2024 The │
│ │ │ │ │ PNG Reference Library │
│ │ │ │ │ Authors │
│ PngPrivate │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ BundledLibjpeg16bits │ 3.0.3 │ generic │ https://github.com/libjpeg… │ Copyright (C) 2009-2024 D. │
│ │ │ │ │ R. Commander │
│ BundledLibjpeg12bits │ 3.0.3 │ generic │ https://github.com/libjpeg… │ Copyright (C) 2009-2024 D. │
│ │ │ │ │ R. Commander │
│ BundledLibjpeg │ 3.0.3 │ generic │ https://github.com/libjpeg… │ Copyright (C) 2009-2024 D. │
│ │ │ │ │ R. Commander │
│ JpegPrivate_Attribution_li… │ 3.0.3 │ generic │ https://github.com/libjpeg… │ Copyright (C) 2009-2024 D. │
│ │ │ │ │ R. Commander │
│ JpegPrivate │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ BundledFreetype_Attributio… │ 2.13.2 │ generic │ https://download.savannah.… │ Copyright (C) 1995-2022 │
│ │ │ │ │ Jean-loup Gailly and Mark │
│ │ │ │ │ Adler │
│ BundledFreetype_Attributio… │ 2.13.2 │ generic │ https://download.savannah.… │ Copyright (c) 2000 │
│ │ │ │ │ Computing Research Labs, │
│ │ │ │ │ New Mexico State University │
│ BundledFreetype_Attributio… │ 2.13.2 │ generic │ https://download.savannah.… │ Copyright (c) 2001, 2012 │
│ │ │ │ │ David Turner, Robert │
│ │ │ │ │ Wilhelm, and Werner Lemberg │
│ BundledFreetype │ 2.13.2 │ generic │ https://download.savannah.… │ Copyright (c) 2007-2014 │
│ │ │ │ │ Adobe Systems Incorporated │
│ FreetypePrivate_Attributio… │ 2.13.2 │ generic │ https://download.savannah.… │ Copyright (c) 2007-2014 │
│ │ │ │ │ Adobe Systems Incorporated │
│ FreetypePrivate_Attributio… │ unknown │ generic │ http://www.freetype.org │ Copyright (C) 1995-2022 │
│ │ │ │ │ Jean-loup Gailly and Mark │
│ │ │ │ │ Adler │
│ FreetypePrivate_Attributio… │ unknown │ generic │ http://www.freetype.org │ Copyright (c) 2000 │
│ │ │ │ │ Computing Research Labs, │
│ │ │ │ │ New Mexico State University │
│ FreetypePrivate_Attributio… │ unknown │ generic │ http://www.freetype.org │ Copyright (c) 2001, 2012 │
│ │ │ │ │ David Turner, Robert │
│ │ │ │ │ Wilhelm, and Werner Lemberg │
│ FreetypePrivate │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ BundledHarfbuzz │ 8.5.0 │ generic │ https://github.com/harfbuz… │ Copyright © 2010-2022 │
│ │ │ │ │ Google, Inc. │
│ HarfbuzzPrivate_Attributio… │ 8.5.0 │ generic │ https://github.com/harfbuz… │ Copyright © 2010-2022 │
│ │ │ │ │ Google, Inc. │
│ HarfbuzzPrivate │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Concurrent │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Sql │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Network_Attribution_psl-da… │ 903a83ff7bfc3148e3692e0939… │ generic │ https://publicsuffix.org/l… │ The list was originally │
│ │ fetched on 2024 │ │ │ provided by Jo Hermans │
│ │ │ │ │ <jo.hermans@gmail.com>. │
│ Network_Attribution_libpsl │ 664f3dc85259ec65e30248a61f… │ generic │ https://github.com/rockdab… │ Copyright 2014-2016 The │
│ │ │ │ │ Chromium Authors. All │
│ │ │ │ │ rights reserved. │
│ Network │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Xml │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ DBus_Attribution_libdbus-1… │ dbus │ generic │ https://www.freedesktop.or… │ Copyright (C) 2002, 2003 │
│ │ │ │ │ CodeFactory AB │
│ DBus │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ uic │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ qdbuscpp2xml │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ qdbusxml2cpp │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ qlalr │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ qvkgen │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ qtpaths │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ androiddeployqt │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ androidtestrunner │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ macdeployqt │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Gui_Attribution_rhi-minien… │ 0aa79bad78992da0b6a8279ddb… │ generic │ https://github.com/microso… │ Copyright (c) 2015 │
│ │ │ │ │ Microsoft │
│ Gui_Attribution_opengl-hea… │ Revision 27684 │ generic │ https://www.khronos.org/ │ Copyright (c) 2013-2014 The │
│ │ │ │ │ Khronos Group Inc. │
│ Gui_Attribution_opengl-es2… │ Revision 27673 │ generic │ https://www.khronos.org/ │ Copyright (c) 2013-2014 The │
│ │ │ │ │ Khronos Group Inc. │
│ Gui_Attribution_grayraster │ unknown │ generic │ http://www.freetype.org │ Copyright 2000-2016 by │
│ │ │ │ │ David Turner, Robert │
│ │ │ │ │ Wilhelm, and Werner │
│ │ │ │ │ Lemberg. │
│ Gui_Attribution_smooth-sca… │ unknown │ generic │ NOT KNOWN │ Copyright (C) 2004, 2005 │
│ │ │ │ │ Daniel M. Duley. │
│ Gui_Attribution_xserverhel… │ unknown │ generic │ https://www.x.org/ │ Copyright (c) 1987, 1988 X │
│ │ │ │ │ Consortium │
│ Gui_Attribution_aglfn │ 1.7 │ generic │ https://github.com/adobe-t… │ Copyright 2002, 2003, 2005, │
│ │ │ │ │ 2006, 2008, 2010, 2015 │
│ │ │ │ │ Adobe Systems │
│ Gui_Attribution_VulkanMemo… │ 3.1.0 │ generic │ https://github.com/GPUOpen… │ Copyright (c) 2017-2024 │
│ │ │ │ │ Advanced Micro Devices, │
│ │ │ │ │ Inc. All rights reserved. │
│ Gui_Attribution_icc-sRGB-c… │ unknown │ generic │ http://www.color.org/ │ Copyright International │
│ │ │ │ │ Color Consortium, 2015 │
│ Gui_Attribution_md4c │ 0.5.2 │ generic │ https://github.com/mity/md… │ Copyright © 2016-2024 │
│ │ │ │ │ Martin Mitáš │
│ Gui │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ ExampleIconsPrivate │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ ExamplesAssetDownloaderPri… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ OpenGL │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Widgets │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ OpenGLWidgets │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ DeviceDiscoverySupportPriv… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ FbSupportPrivate │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ Test_Attribution_valgrind │ 3.22.0 │ generic │ http://valgrind.org/ │ Copyright (C) 2000-2017 │
│ │ │ │ │ Julian Seward │
│ Test_Attribution_cycle │ unknown │ generic │ NOT KNOWN │ Copyright (c) 2003, 2006 │
│ │ │ │ │ Matteo Frigo │
│ Test_Attribution_linuxperf │ 3.7 │ generic │ https://www.kernel.org │ Copyright (C) 2008-2009, │
│ │ │ │ │ Thomas Gleixner │
│ │ │ │ │ <tglx@linutronix.de> │
│ Test │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ PrintSupport │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QSQLiteDriverPlugin_Attrib… │ 3.46.0 │ generic │ https://www.sqlite.org/202… │ The authors disclaim │
│ │ │ │ │ copyright to the source │
│ │ │ │ │ code. However, a license │
│ │ │ │ │ can be obtained if needed. │
│ QSQLiteDriverPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QMinimalIntegrationPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QOffscreenIntegrationPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QCocoaIntegrationPlugin_At… │ unknown │ generic │ NOT KNOWN │ Copyright (c) 2007-2008, │
│ │ │ │ │ Apple, Inc. │
│ QCocoaIntegrationPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QICOPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QJpegPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QGifPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QTuioTouchPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QMacStylePlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QSCNetworkReachabilityNetw… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QSecureTransportBackendPlu… │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QTlsBackendCertOnlyPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QtLibraryInfo │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ qmake │ 6.9.0 │ generic │ git://code.qt.io/qt/qtbase… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ WrapZLIB │ 1.2.12 │ - │ https://github.com/madler/… │ NOASSERTION │
│ WrapBacktrace │ unknown │ - │ NOT KNOWN │ NOASSERTION │
│ WrapRt │ unknown │ - │ NOT KNOWN │ NOASSERTION │
│ WrapAtomic │ unknown │ - │ NOT KNOWN │ NOASSERTION │
│ WrapResolv │ unknown │ - │ NOT KNOWN │ NOASSERTION │
│ GSSAPI │ unknown │ - │ NOT KNOWN │ NOASSERTION │
│ Cups │ unknown │ - │ NOT KNOWN │ NOASSERTION │
└─────────────────────────────┴─────────────────────────────┴───────────┴─────────────────────────────┴─────────────────────────────┘
╭────────────────────────╮
│ Component Type Summary │
╰────────────────────────╯
┏━━━━━━━━━━━━━┳━━━━━━━┓
┃ Type ┃ Count ┃
┡━━━━━━━━━━━━━╇━━━━━━━┩
│ APPLICATION │ 16 │
│ LIBRARY │ 108 │
└─────────────┴───────┘
╭─────────────────╮
│ License Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓
┃ License ┃ Count ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩
│ AFL-2.1 OR GPL-2.0-or-later │ 1 │
│ BSD-2-Clause │ 3 │
│ BSD-2-Clause AND Imlib2 │ 1 │
│ BSD-3-Clause │ 7 │
│ BSD-4-Clause │ 1 │
│ CC0-1.0 │ 4 │
│ CC0-1.0 OR Apache-2.0 │ 1 │
│ FTL OR GPL-2.0-only │ 4 │
│ GPL-2.0-only WITH Linux-syscall-note │ 1 │
│ IJG AND BSD-3-Clause │ 5 │
│ Libpng AND libpng-2.0 │ 3 │
│ LicenseRef-BSD-3-Clause-with-PCRE2-Binary-Like-Packages-Exception │ 2 │
│ LicenseRef-ICC-License │ 1 │
│ LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0 │ 30 │
│ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only │ 81 │
│ LicenseRef-SHA1-Public-Domain │ 1 │
│ MIT │ 12 │
│ MIT AND MIT-open-group │ 2 │
│ MPL-2.0 │ 1 │
│ NOASSERTION │ 9 │
│ Unicode-3.0 │ 1 │
│ Unicode-DFS-2016 │ 1 │
│ X11 AND HPND │ 1 │
│ Zlib │ 2 │
│ blessing │ 1 │
└───────────────────────────────────────────────────────────────────────────┴───────┘
╭──────────────────╮
│ Supplier Summary │
╰──────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━┓
┃ Supplier ┃ Count ┃
┡━━━━━━━━━━━━━━╇━━━━━━━┩
│ Anonymous │ 8 │
│ TheQtCompany │ 116 │
└──────────────┴───────┘
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ Element ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│ All file information provided? │ True │
│ All package information provided? │ True │
│ Creator identified? │ True │
│ Creation time identified? │ True │
│ Dependency relationships provided? │ True │
└────────────────────────────────────┴────────┘
NTIA conformant True
-- Auditing SBOM: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtbase-6.9.0.spdx
╭─────────────────────╮
│ SBOM Format Summary │
╰─────────────────────╯
[x] Valid SBOM Format
╭──────────────╮
│ File Summary │
╰──────────────╯
[x] File Summary
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
[ ] License included for package AppleClang: MISSING
[ ] CPE name included for package AppleClang: MISSING
[ ] License included for package qtbase: MISSING
[ ] License included for package WrapZLIB: MISSING
[ ] License included for package WrapBacktrace: MISSING
[ ] License included for package WrapRt: MISSING
[ ] License included for package WrapAtomic: MISSING
[ ] License included for package WrapResolv: MISSING
[ ] License included for package GSSAPI: MISSING
[ ] License included for package Cups: MISSING
╭───────────────────────╮
│ Relationships Summary │
╰───────────────────────╯
[x] Relationships Summary
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
[x] NTIA Summary
╭────────────────────╮
│ SBOM Audit Summary │
╰────────────────────╯
[x] Checks passed 877
[x] Checks failed 10
[x] Policy checks passed 0
[x] Policy checks failed 0
Implementation design
Overview
The bulk of the implementation was done in https://codereview.qt-project.org/c/qt/qtbase/+/546923/130
The implementation can be conceptually divided into three parts: recording sbom information, processing the information, and generating the processed info into a file.
Recording is started when _qt_internal_sbom_begin_project is called.
Generation starts when _qt_internal_sbom_end_project is called.
Target SBOM info recording and processing happens when one of the following commands are called:
- qt_internal_add_module
- qt_internal_add_plugin
- qt_internal_add_tool
- qt_internal_add_app
- qt_internal_add_3rdparty_library
- qt_internal_extend_target
- qt_internal_add_sbom
- qt_internal_extend_sbom
- qt_internal_sbom_add_license
- qt_find_package_extend_sbom
Aside from processing info that targets were annotated with via options like LICENSE_EXPRESSION, COPYRIGHTS, etc, the following is an unordered list of actions performed by the build:
- parsing of qt_attribution.json files
- creating separate SPDX packages for each qt_attribution.json entry, because one package can have only describe one version of some component
- git information extraction (hash, tag, etc)
- various verification and audit steps, as well as conversion to json of the spdx document
- entity classification (qt module vs plugin vs 3rd party source, etc)
- dependency handling (which target depends on other targets and transforming that into spdx relationships)
- special logic to handle system dependencies, due to the nature of FindFoo.cmake modules and their constant lookup in each project configuration
- multi-config-aware file handling
- adding generated from source file information
- adding custom non-SPDX-known licenses
- recording of spdx id for the various targets, to be able to refer to them across external documents
- cpe computation
- license expression handling
System library processing
Unlike most regular entity types like qt modules and bundled 3rparty libraries, special logic was needed for handling system libraries.
Some of the differences between the two:
- regular targets are exported and installed in FooTargets.cmake files only once.
- system library targets are looked up by find_package(Foo) -> FindFoo.cmake files multiple times (especially in static builds)
- regular targets can have spdx information exported in the FooTargets.cmake files
- system library targets are not exported, so it's not possible to directly record the sbom information once, and preserve it for subsequent lookups
- regular targets usually have a one CMake package component <-> one main target relationship
- system library packages can have multiple components and thus targets, where each find_package lookup might bring one or more targets into scope
- in the context of a qt builds, regular targets don't get globally promoted
- system library targets are sometimes globally promoted and sometimes not
- regular targets have their SBOM processed at the end of the directory scope they are created in e.g. src/corelib for the Core target.
- system libraries have their SBOM processed at the end of repo processing, when _qt_internal_sbom_end_project is called
To accommodate the complexity, the following happens:
- each qt_find_package and _qt_internal_find_third_party_dependencies call records the package name, provided targets,
and SBOM options, given the list of looked up COMPONENTS inside global properties
- system library spdx id creation is delayed until _qt_internal_sbom_begin_project is called, this is because
find_package() calls in repos like qtdeclarative would have happen before sbom processing begins, and we need to wait until repo-specific SBOM information is available
- each time a regular target is processed for SBOM info extraction, we walk the dependencies to find linked system library targets and record them as "consumed".
We do this to ensure we only generate SBOM info for system libraries that are actually used, and not just the ones that qt_find_package was called for.
- at the end of repo processing we call _qt_internal_sbom_add_recorded_system_libraries to go through the consumed system library targets, correlate them
with the recorded ones and finally create an SBOM package for each one.
Currently, aside from the initial version that was found for the first call of find_package(systemlibrary), we don't persist other SBOM information for further lookups when configuring other repositories. This will have to be improved in a future change.
Bundled or system library processing
Qt ships a few FindWrapFoo.cmake scripts that choose whether to link to a bundled library or a system library based on a qt feature value.
Some of these are: FindWrapZLIB, FindWrapPNG, FindWrapPCRE2, etc.
For SBOM purposes, we need to distinguish which one, the bundled or system library, will be linked.
We do that in _qt_internal_sbom_handle_target_dependencies by walking over the dependencies, and trying to detect a bundled library by checking if any exposed target has the _qt_module_is_3rdparty_library property set.
If it is set, we consider that we link to the bundled library. Otherwise we consider that we link to the system library.
Generation and installation
Generation of the SBOM happens at CMake install time, after installation of all binary files.
This is because the SBOM will contain the SHA1 checksums for each installed file, and to get those, we first need to install the files.
Each time a target is SBOM-processed, the build system generates a file using file(GENERATE) which will append to a staging spdx file in the build dir with all relevant SBOM information for that particular target.
These intermediary file paths are collected in a global cmake property. Once repo processing ends, the build system generates a final file that will include all the intermediary ones.
The final generated file is then added as an install script using an install(SCRIPT) call.
In cross-config multi-config builds, some additional logic is used to generate separate intermediate files for each config and include them in a way that won't cause conflicts or overrides.
Because cmake does not provide a way to distinguish when a particular config has started installation or ended installation, we don't have enough information to know when all debug-and-release files have finished installing, to ensure it is safe to start generating the SBOM and read the checksums.
To work around this, we use install config specific marker files, and then use them as a detection mechanism if all configs were installed, to start the SBOM generation.
For top-level builds / super builds, most things stay the same, except we clear out all the repo-specific global properties, to ensure a clean slate for the generation of the next repo SBOM. There is also some additional logic used for handling external document references, and for cross-repo target dependency handling to link to the proper external document.
Note that there are some internal sbom targets than can be ran by ninja at build time, rather than install time, but those are not usable for production because they are missing checksums (nothing has been installed after all). These are only meant for debug purposes.