Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129598

Investigate generation of CycloneDX documents for Qt build SBOM

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: P2: Important P2: Important
    • None
    • 6.8.0 RC
    • Build System: CMake
    • 86589a14f (dev), 7eb22d00d (6.10)

      Qt 6.8 generates SPDX v2.3 documents.

      Some SBOM processing tools like DependencyTrack
      https://github.com/DependencyTrack/dependency-track

      can only process CycloneDX SBOMs.

      We should investigate how easy it would be to either convert the SPDX v2.3 documents to CycloneDX, or generate them from scratch as an alternative implementation of the our existing CMake SPDX SBOM API.

      There exists a tool that claims converting SPDX v2.2 documents to CycloneDX, but in practice it doesn't do a good job.
      Most information gets lost or converted into a "comment"-like field that is not processed properly by tools.
      https://github.com/CycloneDX/cyclonedx-cli

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            alexandru.croitor Alexandru Croitor
            alexandru.croitor Alexandru Croitor
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:

                There are 2 open Gerrit changes