Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129600

Investigate generation of SPDX v3.0 documents for Qt build SBOM

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • P2: Important
    • None
    • None
    • Build System: CMake
    • None

    Description

      Qt 6.8 generates SPDX v2.3 documents for the build SBOM.

      The latest version is currently v3.0.

      We should investigate what it would take to generate the version.

      Current roadblocks for that are:

      • v3.0 doesn't seem to support INI-style key:value SPDX documents, but only JSON.
        For v2.3 we generate INI-style documents, and convert them to JSON via external tooling.
        CMake doesn't have a good facility for generating complex JSON documents, so it will probably be awkward to reimplement that.
      • Tooling to check the validity of v3.0 documents is not there yet. The ones we currently use in the CI are spdx_tools, sbom2doc, sbomaudit, ntia_performance_checker.
      • The semantic structure of the documents has change considerably between v2.3 and v3.0 so it will need investigation on how to adapt that.

      Attachments

        Issue Links

          split from

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-122899 Generate SBOM from Qt build system

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • In Progress
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              qtbuildsystem Qt Build System Team
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes