Jump to content

SBOM

From Qt Wiki
Revision as of 11:20, 27 June 2024 by Croitor Alexandru (talk | contribs) (Created page with "Category:Developing Qt::Qt Build System ===Qt Software Bill of Materials (SBOM)=== Starting with Qt 6.8, when building Qt, the build system can generate and install an SBOM in the SPDX 2.3 format. A SPDX SBOM document contains the following kinds of information: installed files checksums, copyrights, licenses, dependency versions, urls, git commits, etc. Each built repository (qtbase, qtsvg) will install a separate SPDX document, e.g. $qt_prefix/sbom/qtbase-6.8.0...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


Qt Software Bill of Materials (SBOM)

Starting with Qt 6.8, when building Qt, the build system can generate and install an SBOM in the SPDX 2.3 format.

A SPDX SBOM document contains the following kinds of information: installed files checksums, copyrights, licenses, dependency versions, urls, git commits, etc.

Each built repository (qtbase, qtsvg) will install a separate SPDX document, e.g. $qt_prefix/sbom/qtbase-6.8.0.spdx, qsvg-6.8.0.spdx, etc.

To generate and install an SBOM, pass -sbom to configure. The argument needs to be passed to each separately configured repository. 

$ ../qtbase-source-dir/configure -prefix /opt/qt6 -sbom
$ /opt/qt6/bin/qt-configure-module ../qtsvg -sbom

Mapping of SPDX concepts to CMake

The general structure of a SPDX document is the following:

  • a document contains document metadata and packages
  • a package contains package metadata and files
  • a file contains file metadata
  • a package can have various kinds of relationships to other packages
  • a package can depend on another package either in the current document or in a referenced external document
  • a file can have various kind of relationships to other files

In Qt's build system, we have multiple 'entity' types that map to a SPDX package:

  • qt module (Gui)
  • qt plugin (platform plugin)
  • qt tool (moc)
  • qt app (Designer)
  • 3rd party bundled code (pcre)
  • system library dependencies (openssl)

Each of these can then have zero or more SPDX file references.

In a -debug-and-release build there would be a libQt6Gui.dll and libQt6Gui_debug.dll file.

For system libraries, there are no file references, because a SPDX document can only refer to an installed file.

Because system libraries are usually looked up each time a project is configured, the path would always be different, so we can't record such file metadata.

Almost all SPDX packages are backed by a cmake target.

Maintainer Knowledge

As a Qt maintainer, there are a few things you should know and take care of.

The licensing of the qt modules, plugins, tools, apps.

The default license of qt modules is LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only. And for tools and apps it is usually LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0

If that is not the case for the repo you are maintaining, make sure to explicitly specify a different license either per target, or per subdirectory, or per repo.

To do it per target, specify the LICENSE_EXPRESSION option to qt_internal_add_module / plugin / tool / extend_target with a value that _qt_internal_sbom_get_spdx_license_expression understands. 

qt_internal_add_module(WebEngine
    ...
    LICENSE_EXPRESSION  QT_COMMERCIAL_OR_LGPL3
)

To do it per subdirectory or repo, set the QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES and QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES variables to one of the values that _qt_internal_sbom_get_spdx_license_expression understands. Example: https://codereview.qt-project.org/c/qt/qtquick3dphysics/+/569239

Retrieved from "https://wiki.qt.io/index.php?title=SBOM&oldid=41945"