Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129598

Investigate generation of CycloneDX documents for Qt build SBOM

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • P3: Somewhat important
    • None
    • 6.8.0 RC
    • Build System: CMake
    • None

    Description

      Qt 6.8 generates SPDX v2.3 documents.

      Some SBOM processing tools like DependencyTrack
      https://github.com/DependencyTrack/dependency-track

      can only process CycloneDX SBOMs.

      We should investigate how easy it would be to either convert the SPDX v2.3 documents to CycloneDX, or generate them from scratch as an alternative implementation of the our existing CMake SPDX SBOM API.

      There exists a tool that claims converting SPDX v2.2 documents to CycloneDX, but in practice it doesn't do a good job.
      Most information gets lost or converted into a "comment"-like field that is not processed properly by tools.
      https://github.com/CycloneDX/cyclonedx-cli

      Attachments

        Issue Links

          split from

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-122899 Generate SBOM from Qt build system

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • In Progress
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              qtbuildsystem Qt Build System Team
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes