Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-120586

Create automated SBOM process for Qt framework and tools

    XMLWordPrintable

Details

    Description

      What is the benefit? Why is this valuable?

      Making manual work to create SBOM (Software Bill of Materials) information unnecessary.

      What are common use cases?

      Licence due diligence and compliancy: Identifying copyright, license information for deliverables (license compliancy).

      Configuration management / Cybersecurity: Identifying software components and versions that end up in deliverables.

      Technical information

      Relevant standards:

      • SPDX (currently using SPDX 2.1)
      • CycloneDX

      SBOM Types

      • Source SBOM's for source deliverables
      • Binary SBOM's for binary deliverables

       

      CRA Backlog

      This task is also part of the CRA compliancy backlog.

      Overview of the task 

      Generate SBOMs for all relevant Qt products. Automate SBOM generation to ensure efficiency and accuracy. ​

      For Qt Framework, consider how to address customer demand for SBOMs specific to host-target-combinations. The CRA does not require providing SBOMs to customers, so this is a business question.

      Steps

      1. Automate SBOM generation for all products.
      2. Generate SBOMs for all versions of all Qt products.
      3. For Qt Framework, consider how to address customer demand for SBOMs specific to host-target-combinations.

      Outcome

      Automated SBOM generation for all Qt products and an SBOM generated for each version of all Qt products. The SBOM must be provided in a machine-readable format covering at the very least top-level depdencies of the product.

      Reasoning why this is needed

      The CRA requires that Qt produce a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies for each product. Generating accurate SBOMs manually is not scalable and automation is thus necessary.

      CRA reference:

      Annex I, Part II § 1​

      Link: https://data.consilium.europa.eu/doc/document/PE-100-2023-INIT/en/pdf

      OWASP SAMM refence:

      OWASP SAMM, Implementation:
      Secure Build practice includes activities such as keeping a record of all dependencies used throughout the target production environment, i.e. generating a bill of materials for every application .

      Needed schedule

      This is mandated by EU CRA by 11.12.2027. This can be done any day earlier.

       

      Attachments

        Issue Links

          is cloned by

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTCREATORBUG-31681 Create automated SBOM process for Qt Creator

          • P3: Somewhat important - Should be fixed, but doesn't affect the release in any way.
          • Open
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. QTBUG-125210 Provide SBOM's for the Qt Framework

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Withdrawn
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              kkohne Kai Köhne
              productboard Productboard
              Petri Maanonen Petri Maanonen
              Tuukka Turunen Tuukka Turunen
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes