SBOM

From Qt Wiki
Jump to navigation Jump to search


Qt Software Bill of Materials (SBOM)

Starting with Qt 6.8, when building Qt, the build system can generate and install an SBOM in the SPDX 2.3 format.

A SPDX SBOM document contains the following kinds of information: installed files checksums, copyrights, licenses, dependency versions, urls, git commits, etc.

Each built repository (qtbase, qtsvg) will install a separate SPDX document, e.g. $qt_prefix/sbom/qtbase-6.8.0.spdx, qsvg-6.8.0.spdx, etc.

To generate and install an SBOM, pass -sbom to configure. The argument needs to be passed to each separately configured repository.

$ ../qtbase-source-dir/configure -prefix /opt/qt6 -sbom
$ /opt/qt6/bin/qt-configure-module ../qtsvg -sbom

Mapping of SPDX concepts to CMake

The general structure of a SPDX document is the following:

  • a document contains document metadata and packages
  • a package contains package metadata and files
  • a file contains file metadata
  • a package can have various kinds of relationships to other packages
  • a package can depend on another package either in the current document or in a referenced external document
  • a file can have various kind of relationships to other files

In Qt's build system, we have multiple 'entity' types that map to a SPDX package:

  • qt module (Gui)
  • qt plugin (platform plugin)
  • qt tool (moc)
  • qt app (Designer)
  • 3rd party bundled code (pcre)
  • system library dependencies (openssl)

Each of these can then have zero or more SPDX file references.

In a -debug-and-release build there would be a libQt6Gui.dll and libQt6Gui_debug.dll file.

For system libraries, there are no file references, because a SPDX document can only refer to an installed file.

Because system libraries are usually looked up each time a project is configured, the path would always be different, so we can't record such file metadata.

Almost all SPDX packages are backed by a cmake target.

Maintainer Knowledge

As a Qt maintainer, there are a few things you should know and take care of.

The licensing of the qt modules, plugins, tools, apps.

Qt Licensing

The default license of qt modules is LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only. And for tools and apps it is usually LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0

If that is not the case for the repo you are maintaining, make sure to explicitly specify a different license either per target, or per subdirectory, or per repo.

To do it per target, specify the QT_LICENSE_ID option to qt_internal_add_module / plugin / tool / extend_target with a value that _qt_internal_sbom_get_spdx_license_expression understands.

qt_internal_add_module(WebEngine
    ...
    QT_LICENSE_ID  QT_COMMERCIAL_OR_LGPL3
)

Example: https://codereview.qt-project.org/c/qt/qtwayland/+/569252/4/src/plugins/decorations/bradient/CMakeLists.txt

To do it per subdirectory or repo, set the QT_SBOM_DEFAULT_QT_LICENSE_ID_LIBRARIES and QT_SBOM_DEFAULT_QT_LICENSE_ID_EXECUTABLES variables to one of the values that _qt_internal_sbom_get_spdx_license_expression understands.

Example: https://codereview.qt-project.org/c/qt/qtquick3dphysics/+/569239

bundled / vendored 3rd party libraries

Qt uses various 3rd party sources that are usually located in src/3rdparty, but sometimes they are part of module sources.

We need to make sure the SBOM generation process knows about them for compliance reasons.

The easiest way to annotate these is with one or more qt_attribution.json files.

For 3rd party libraries created with qt_internal_add_3rdparty_library, as long as the CMakeLists.txt is next to the qt_attribution.json file, you don't need to do anything.

In case if the attribution file is in a different location, make sure to specify all relevant attribution files via the ATTRIBUTION_FILE_DIR_PATHS option to qt_internal_add_module / plugin / tool / extend_target .

qt_internal_add_module(Core
    ATTRIBUTION_FILE_DIR_PATHS
        text
        tools
        ../3rdparty/blake2
        ../3rdparty/md4
        ../3rdparty/md5
        ../3rdparty/sha1
        ../3rdparty/sha3
        ../3rdparty/rfc6234
        ../3rdparty/tinycbor
)

qt_internal_extend_target(Network CONDITION NOT QT_FEATURE_system_zlib
    INCLUDE_DIRECTORIES
        ../3rdparty/zlib/src
    ATTRIBUTION_FILE_DIR_PATHS
        ../3rdparty/zlib
        ../3rdparty/some-random-ssl-lib
)

qt_internal_add_3rdparty_library(BundledPcre2
    ATTRIBUTION_FILE_DIR_PATHS
        ../3rdparty/pcre
)

Various examples:

In case if some information needs to be recorded for a target without a qt_attribution.json file, and for whatever reason creating one is not desired, you can use specify SBOM-related options that qt_internal_add_module / plugin / tool / extend_target understand.

The full list can be found in _qt_internal_get_sbom_add_target_common_options and

qt_internal_extend_target(BundledZlib CONDITION NOT QT_FEATURE_system_zlib
    # flags
    NO_CURRENT_DIR_ATTRIBUTION
    NO_ATTRIBUTION_LICENSE_ID
    NO_DEFAULT_QT_LICENSE
    NO_DEFAULT_QT_LICENSE_ID_LIBRARIES
    NO_DEFAULT_QT_LICENSE_ID_EXECUTABLES
    NO_DEFAULT_DIRECTORY_QT_LICENSE
    NO_DEFAULT_QT_COPYRIGHTS
    NO_DEFAULT_QT_PACKAGE_VERSION
    NO_DEFAULT_QT_SUPPLIER
    
    # single value options
    PACKAGE_VERSION "1.2.4"
    FRIENDLY_PACKAGE_NAME "FancyierZlib"
    CPE_VENDOR "zlib"
    CPE_PRODUCT "zlib"
    LICENSE_EXPRESSION MIT OR BSD-3-Clause
    QT_LICENSE_ID QT_COMMERCIAL_OR_BSD3
    DOWNLOAD_LOCATION "https://github.com/madler/zlib"
    ATTRIBUTION_ENTRY_INDEX 5

    # multi value options
    COPYRIGHTS
        "Copyright company 1"
        "Copyright company 1"
    CPE
        "cpe:2.3:o:arm:arm:-:*:*:*:*:*:*:*"
        "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*"
    SBOM_DEPENDENCIES
        Qt6::Core
        Qt6::Gui
        WrapOpenSSL::WrapOpenSSL
    ATTRIBUTION_FILE_PATHS
        ../3rdparty/zlib1/qt_attribution.json
        ../3rdparty/zlib2/qt_attribution.json
    ATTRIBUTION_FILE_DIR_PATHS
        ../3rdparty/zlib3
        ../3rdparty/zlib4
)