Details
-
User Story
-
Resolution: Fixed
-
P1: Critical
-
None
-
None
-
fc91074b2 (dev), fa6a08588 (6.8), 5707bb255 (dev), 8e22839aa (dev), 16f88076b (6.8), dab6e0653 (6.7), c6fa99b96 (6.8), b62a275da (6.7), 994986fb9 (dev), d8d0aeb17 (6.8), 15f6c458e (6.7), 08514f0f6 (6.7), 2bb7826b5 (dev), 4bede0086 (dev), e98480fb1 (6.8)
Description
Enforce that LicenseId entries in qt_attribution.json files contain valid SPDX expressions.
For some time, we also supported using dejacode URN's for licenses that did not have a valid SPDX expression yet. Anyhow, this is not conformant with the SPDX standard that we want to use for SBOM's. So these should be either replaced by custom valid SPDX expressions (e.g. LicenseRef-*).
List:
qtbase/cmake/QtPublicSbomHelpers.cmake 385: if(NOT qa_license_id MATCHES "urn:dje:license") qtbase/src/3rdparty/wasm/qt_attribution.json 13: "LicenseId": "urn:dje:license:bitstream", qtbase/src/3rdparty/wintab/qt_attribution.json 11: "LicenseId": "urn:dje:license:lcs-telegraphics", qtwebengine/examples/webenginewidgets/cookiebrowser/3rdparty/qt_attribution.json 12: "LicenseId": "urn:dje:license:public-domain", qtwebengine/examples/webenginewidgets/simplebrowser/data/3rdparty/qt_attribution.json 12: "LicenseId": "urn:dje:license:public-domain", qtwebengine/examples/webenginewidgets/permissionbrowser/resources/3rdparty/qt_attribution.json 12: "LicenseId": "urn:dje:license:public-domain", qtwebengine/examples/webenginequick/quicknanobrowser/icons/3rdparty/qt_attribution.json 12: "LicenseId": "urn:dje:license:public-domain", qttools/src/qtattributionsscanner/qdocgenerator.cpp 133: } else if (package.licenseId.startsWith("urn:dje:license:"_L1)) { qtshadertools/src/3rdparty/SPIRV-Cross/qt_attribution.json 12: "LicenseId": "Apache-2.0 AND urn:dje:license:khronos", qtshadertools/src/3rdparty/glslang/qt_attribution.json 12: "LicenseId": "BSD-3-Clause AND urn:dje:license:khronos AND Apache-2.0 AND GPL-3.0-or-later WITH Bison-exception-2.2 AND AML-glslang",