SBOM
Qt Software Bill of Materials (SBOM)
Starting with Qt 6.8, when building Qt, the build system can generate and install an SBOM in the SPDX 2.3 format.
A SPDX SBOM document contains the following kinds of information: installed files checksums, copyrights, licenses, dependency versions, urls, git commits, etc.
Each built repository (qtbase, qtsvg) will install a separate SPDX document, e.g. $qt_prefix/sbom/qtbase-6.8.0.spdx, qsvg-6.8.0.spdx, etc.
To generate and install an SBOM, pass -sbom to configure. The argument needs to be passed to each separately configured repository.
$ ../qtbase-source-dir/configure -prefix /opt/qt6 -sbom
# or
$ /opt/qt6/bin/qt-configure-module ../qtsvg -sbom
# or
$ cmake path/to/qt/repo -DQT_GENERATE_SBOM=ON
The sbom files will then be generated and installed during regular installation, but can also be explicitly installed by specifying a cmake installation component.
$ ninja install
# or
$ cmake --install . --component sbom
# -- Starting SBOM generation in build dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/qtsvg/qt_sbom/staging-qtsvg.spdx.in
# -- Finalizing SBOM generation in install dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtsvg-6.9.0.spdx
Note that because the document contains checksums of installed files, all files need to be installed first to generate a valid document.
Mapping of SPDX concepts to CMake
The general structure of a SPDX document is the following:
- a document contains document metadata and packages
- a package contains package metadata and files
- a file contains file metadata
- a package can have various kinds of relationships to other packages
- a package can depend on another package either in the current document or in a referenced external document
- a file can have various kind of relationships to other files
In Qt's build system, we have multiple 'entity' types that map to a SPDX package:
- qt module (Gui)
- qt plugin (platform plugin)
- qt tool (moc)
- qt app (Designer)
- 3rd party bundled code (pcre)
- system library dependencies (openssl)
Each of these can then have zero or more SPDX file references.
In a -debug-and-release build there would be a libQt6Gui.dll and libQt6Gui_debug.dll file.
For system libraries, there are no file references, because a SPDX document can only refer to an installed file.
Because system libraries are usually looked up each time a project is configured, the path would always be different, so we can't record such file metadata.
Almost all SPDX packages are backed by a cmake target.
Maintainer Knowledge
As a Qt maintainer, there are a few things you should know and take care of.
The licensing of the qt modules, plugins, tools, apps.
Qt Licensing
The default license of qt modules is LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only. And for tools and apps it is usually LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
If that is not the case for the repo you are maintaining, make sure to explicitly specify a different license either per target, or per subdirectory, or per repo.
To do it per target, specify the QT_LICENSE_ID option to qt_internal_add_module / plugin / tool / extend_target with a value that _qt_internal_sbom_get_spdx_license_expression understands.
qt_internal_add_module(WebEngine
...
QT_LICENSE_ID QT_COMMERCIAL_OR_LGPL3
)
To do it per subdirectory or repo, set the QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES and QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES variables to one of the values that _qt_internal_sbom_get_spdx_license_expression understands.
Example: https://codereview.qt-project.org/c/qt/qtquick3dphysics/+/569239
Bundled / vendored 3rd party sources
Qt uses various 3rd party sources that are usually located in src/3rdparty, but sometimes they are part of module sources.
We need to make sure the SBOM generation process knows about them for compliance reasons.
The easiest way to annotate these is with one or more qt_attribution.json files.
For 3rd party libraries created with qt_internal_add_3rdparty_library, as long as the CMakeLists.txt is next to the qt_attribution.json file, you don't need to do anything.
In case if the attribution file is in a different location, make sure to specify all relevant attribution files via the ATTRIBUTION_FILE_DIR_PATHS option to qt_internal_add_module / plugin / tool / extend_target .
qt_internal_add_module(Core
ATTRIBUTION_FILE_DIR_PATHS
text
tools
../3rdparty/blake2
../3rdparty/md4
../3rdparty/md5
../3rdparty/sha1
../3rdparty/sha3
../3rdparty/rfc6234
../3rdparty/tinycbor
)
qt_internal_extend_target(Network CONDITION NOT QT_FEATURE_system_zlib
INCLUDE_DIRECTORIES
../3rdparty/zlib/src
ATTRIBUTION_FILE_DIR_PATHS
../3rdparty/zlib
../3rdparty/some-random-ssl-lib
)
qt_internal_add_3rdparty_library(BundledPcre2
ATTRIBUTION_FILE_DIR_PATHS
../3rdparty/pcre
)
Various examples:
- https://codereview.qt-project.org/c/qt/qtbase/+/564427
- https://codereview.qt-project.org/c/qt/qtwayland/+/569252
- https://codereview.qt-project.org/c/qt/qtmultimedia/+/562057
In case if some information needs to be recorded for a target without a qt_attribution.json file, and for whatever reason creating one is not desired, you can use specify SBOM-related options that qt_internal_add_module / plugin / tool / extend_target understand.
The full list can be found in _qt_internal_get_sbom_add_target_common_options and
qt_internal_extend_target(BundledZlib CONDITION NOT QT_FEATURE_system_zlib
# flags
NO_CURRENT_DIR_ATTRIBUTION
NO_ATTRIBUTION_LICENSE_ID
NO_DEFAULT_QT_LICENSE
NO_DEFAULT_QT_LICENSE_ID_LIBRARIES
NO_DEFAULT_QT_LICENSE_ID_EXECUTABLES
NO_DEFAULT_DIRECTORY_QT_LICENSE
NO_DEFAULT_QT_COPYRIGHTS
NO_DEFAULT_QT_PACKAGE_VERSION
NO_DEFAULT_QT_SUPPLIER
# single value options
PACKAGE_VERSION "1.2.4"
FRIENDLY_PACKAGE_NAME "FancyierZlib"
CPE_VENDOR "zlib"
CPE_PRODUCT "zlib"
LICENSE_EXPRESSION MIT OR BSD-3-Clause
QT_LICENSE_ID QT_COMMERCIAL_OR_BSD3
DOWNLOAD_LOCATION "https://github.com/madler/zlib"
ATTRIBUTION_ENTRY_INDEX 5
# multi value options
COPYRIGHTS
"Copyright company 1"
"Copyright company 1"
CPE
"cpe:2.3:o:arm:arm:-:*:*:*:*:*:*:*"
"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"
SBOM_DEPENDENCIES
Qt6::Core
Qt6::Gui
WrapOpenSSL::WrapOpenSSL
ATTRIBUTION_FILE_PATHS
../3rdparty/zlib1/qt_attribution.json
../3rdparty/zlib2/qt_attribution.json
ATTRIBUTION_FILE_DIR_PATHS
../3rdparty/zlib3
../3rdparty/zlib4
)
Viewing and validating SBOM SDPX documents
The generated SPDX documents use a tag:value system for representing their information and can be read by any text editor.
But a document might contain a lot of information, and it's hard to check whether there are any issues or anything is missing.
There are third party python packages that can help visualize and validate the documents.
The qt build system can automatically use them to show the document content after generation and do appropriate validation.
Make sure you have Python 3.9+ installed and install the following python packages:
$ pip install spdx-tools ntia-conformance-checker sbomaudit sbom2doc
Then, configure qt or a qt repo using:
$ ../qtbase-source-dir/configure -prefix /opt/qt6 -sbom -- -DQT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK=ON -DQT_INTERNAL_SBOM_DEFAULT_CHECKS=ON -DQT_INTERNAL_SBOM_AUDIT_NO_ERROR=ON
# or
$ /opt/qt6/bin/qt-configure-module ../qtsvg -sbom -- -DQT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK=ON -DQT_INTERNAL_SBOM_DEFAULT_CHECKS=ON -DQT_INTERNAL_SBOM_AUDIT_NO_ERROR=ON
# or
$ cmake path/to/qt/repo -DQT_GENERATE_SBOM=ON -DQT_INTERNAL_NO_SBOM_FIND_PYTHON_FRAMEWORK=ON -DQT_INTERNAL_SBOM_DEFAULT_CHECKS=ON -DQT_INTERNAL_SBOM_AUDIT_NO_ERROR=ON
The build system will check if all dependencies are present and show an error if not.
Then after SBOM generation the build system will do the following:
- generate an equivalent json representation of the SPDX file (fails installation if invalid content is found)
- run the NTIA compliance checker (fails the installation if check fails)
- run sbom2doc to show the contents
- run sbomaudit for some additional checks (doesn't fail the installation)
Here is a sample output:
-- Starting SBOM generation in build dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/qtimageformats/qt_sbom/staging-qtimageformats.spdx.in
-- Finalizing SBOM generation in install dir: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx
-- Generating JSON: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx.json
-- Verifying: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx
Is this SBOM NTIA minimum element conformant? True
Individual elements | Status
-------------------------------------------------------
All component names provided? | True
All component versions provided? | True
All component identifiers provided? | True
All component suppliers provided? | True
SBOM author name provided? | True
SBOM creation timestamp provided? | True
Dependency relationships provided? | True
-- Showing main SBOM document info: /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx
╭──────────────╮
│ SBOM Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Item ┃ Details ┃
┡━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ SBOM File │ /Users/alex/Dev/qt/builds/dev-mac-prefix-sbom-bundled/installed/sbom/qtimageformats-6.9.0.spdx │
│ SBOM Type │ spdx │
│ Version │ SPDX-2.3 │
│ Name │ qtimageformats-6.9.0 │
│ Creator │ Organization:TheQtCompany │
│ Creator │ Tool:Qt Build System │
│ Created │ 2024-06-27T11:56:32Z │
│ Files │ 7 │
│ Packages │ 12 │
│ Relationships │ 22 │
└───────────────┴────────────────────────────────────────────────────────────────────────────────────────────────┘
╭──────────────╮
│ File Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Type ┃ License ┃ Copyright ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ ./plugins/imageformats/libqtga_debug.… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqwbmp_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqtiff_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqwebp_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqmacheif_de… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqicns_debug… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
│ ./plugins/imageformats/libqmacjp2_deb… │ BINARY │ LicenseRef-Qt-Commercial OR │ Copyright (C) 2024 The Qt Company Ltd. │
│ │ │ LGPL-3.0-only OR GPL-2.0-only OR │ │
│ │ │ GPL-3.0-only │ │
└────────────────────────────────────────┴────────┴────────────────────────────────────────┴────────────────────────────────────────┘
╭─────────────────╮
│ Package Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Version ┃ Type ┃ Supplier ┃ License ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ AppleClang │ 15.0.0.15000100 │ APPLICATION │ Anonymous │ NOASSERTION │
│ qtimageformats │ 983b9da+dev │ LIBRARY │ TheQtCompany │ NOASSERTION │
│ QTgaPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QWbmpPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QTiffPlugin_Attribution_libtiff │ 4.6.0 │ LIBRARY │ TheQtCompany │ libtiff │
│ QTiffPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QWebpPlugin_Attribution_libwebp │ 1.4.0 │ LIBRARY │ TheQtCompany │ BSD-3-Clause │
│ QWebpPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QMacHeifPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QICNSPlugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ QMacJp2Plugin │ 6.9.0 │ LIBRARY │ TheQtCompany │ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR │
│ │ │ │ │ GPL-2.0-only OR GPL-3.0-only │
│ WrapZLIB │ 1.2.12 │ LIBRARY │ Anonymous │ NOASSERTION │
└─────────────────────────────────┴─────────────────┴─────────────┴──────────────┴──────────────────────────────────────────────────┘
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Name ┃ Version ┃ Ecosystem ┃ Download ┃ Copyright ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ AppleClang │ 15.0.0.15000100 │ - │ NOT KNOWN │ NOASSERTION │
│ qtimageformats │ 983b9da+dev │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QTgaPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QWbmpPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QTiffPlugin_Attribution_libtiff │ 4.6.0 │ generic │ https://download.osgeo.org/lib… │ Copyright (c) 1988-1997 Sam │
│ │ │ │ │ Leffler │
│ QTiffPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QWebpPlugin_Attribution_libwebp │ 1.4.0 │ generic │ https://storage.googleapis.com… │ Copyright (c) 2010, Google Inc. │
│ │ │ │ │ All rights reserved. │
│ QWebpPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QMacHeifPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QICNSPlugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ QMacJp2Plugin │ 6.9.0 │ generic │ git://code.qt.io/qt/qtimagefor… │ Copyright (C) 2024 The Qt │
│ │ │ │ │ Company Ltd. │
│ WrapZLIB │ 1.2.12 │ - │ NOT KNOWN │ NOASSERTION │
└─────────────────────────────────┴─────────────────┴───────────┴─────────────────────────────────┴─────────────────────────────────┘
╭────────────────────────╮
│ Component Type Summary │
╰────────────────────────╯
┏━━━━━━━━━━━━━┳━━━━━━━┓
┃ Type ┃ Count ┃
┡━━━━━━━━━━━━━╇━━━━━━━┩
│ APPLICATION │ 1 │
│ LIBRARY │ 11 │
└─────────────┴───────┘
╭─────────────────╮
│ License Summary │
╰─────────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━┓
┃ License ┃ Count ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━┩
│ BSD-3-Clause │ 1 │
│ LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only │ 14 │
│ NOASSERTION │ 3 │
│ libtiff │ 1 │
└───────────────────────────────────────────────────────────────────────────┴───────┘
╭──────────────────╮
│ Supplier Summary │
╰──────────────────╯
┏━━━━━━━━━━━━━━┳━━━━━━━┓
┃ Supplier ┃ Count ┃
┡━━━━━━━━━━━━━━╇━━━━━━━┩
│ Anonymous │ 2 │
│ TheQtCompany │ 10 │
└──────────────┴───────┘
╭──────────────╮
│ NTIA Summary │
╰──────────────╯
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━┓
┃ Element ┃ Status ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━┩
│ All file information provided? │ True │
│ All package information provided? │ True │
│ Creator identified? │ True │
│ Creation time identified? │ True │
│ Dependency relationships provided? │ True │
└────────────────────────────────────┴────────┘
NTIA conformant True