SBOM

From Qt Wiki
Revision as of 11:20, 27 June 2024 by Croitor Alexandru (talk | contribs) (Created page with "Category:Developing Qt::Qt Build System ===Qt Software Bill of Materials (SBOM)=== Starting with Qt 6.8, when building Qt, the build system can generate and install an SBOM in the SPDX 2.3 format. A SPDX SBOM document contains the following kinds of information: installed files checksums, copyrights, licenses, dependency versions, urls, git commits, etc. Each built repository (qtbase, qtsvg) will install a separate SPDX document, e.g. $qt_prefix/sbom/qtbase-6.8.0...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Qt Software Bill of Materials (SBOM)

Starting with Qt 6.8, when building Qt, the build system can generate and install an SBOM in the SPDX 2.3 format.

A SPDX SBOM document contains the following kinds of information: installed files checksums, copyrights, licenses, dependency versions, urls, git commits, etc.

Each built repository (qtbase, qtsvg) will install a separate SPDX document, e.g. $qt_prefix/sbom/qtbase-6.8.0.spdx, qsvg-6.8.0.spdx, etc.

To generate and install an SBOM, pass -sbom to configure. The argument needs to be passed to each separately configured repository. 

$ ../qtbase-source-dir/configure -prefix /opt/qt6 -sbom
$ /opt/qt6/bin/qt-configure-module ../qtsvg -sbom

Mapping of SPDX concepts to CMake

The general structure of a SPDX document is the following:

  • a document contains document metadata and packages
  • a package contains package metadata and files
  • a file contains file metadata
  • a package can have various kinds of relationships to other packages
  • a package can depend on another package either in the current document or in a referenced external document
  • a file can have various kind of relationships to other files

In Qt's build system, we have multiple 'entity' types that map to a SPDX package:

  • qt module (Gui)
  • qt plugin (platform plugin)
  • qt tool (moc)
  • qt app (Designer)
  • 3rd party bundled code (pcre)
  • system library dependencies (openssl)

Each of these can then have zero or more SPDX file references.

In a -debug-and-release build there would be a libQt6Gui.dll and libQt6Gui_debug.dll file.

For system libraries, there are no file references, because a SPDX document can only refer to an installed file.

Because system libraries are usually looked up each time a project is configured, the path would always be different, so we can't record such file metadata.

Almost all SPDX packages are backed by a cmake target.

Maintainer Knowledge

As a Qt maintainer, there are a few things you should know and take care of.

The licensing of the qt modules, plugins, tools, apps.

The default license of qt modules is LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only. And for tools and apps it is usually LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0

If that is not the case for the repo you are maintaining, make sure to explicitly specify a different license either per target, or per subdirectory, or per repo.

To do it per target, specify the LICENSE_EXPRESSION option to qt_internal_add_module / plugin / tool / extend_target with a value that _qt_internal_sbom_get_spdx_license_expression understands. 

qt_internal_add_module(WebEngine
    ...
    LICENSE_EXPRESSION  QT_COMMERCIAL_OR_LGPL3
)

To do it per subdirectory or repo, set the QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES and QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES variables to one of the values that _qt_internal_sbom_get_spdx_license_expression understands. Example: https://codereview.qt-project.org/c/qt/qtquick3dphysics/+/569239

Retrieved from "https://wiki.qt.io/index.php?title=SBOM&oldid=41945"