Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129602

Annotate all qt_attribution.json files with CPE and PURL values

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • P2: Important
    • None
    • None
    • Build System: CMake
    • None
    • 36dca3c04 (dev), e2ba5d905 (6.8)

    Description

      All our 3rd party sources have (or should have) an accompanying qt_attribution.json file.

      To more easily track our 3rd party supply chain, we should add relevant CPE and PURL values to the qt_attribution.json files in all our repositories.

      What CPE and PURL means can be found at https://wiki.qt.io/SBOM#CPE_and_PURL_values_in_qt_attribution.json_files

      qtbase is handled via https://codereview.qt-project.org/c/qt/qtbase/+/578553

      We need to the same for the following repos:
      qt3d
      qt5compat
      qtapplicationmanager
      qtconnectivity
      qtdeclarative
      qtgrpc
      qtimageformats
      qtinterfaceframework
      qtmultimedia
      qtopcua
      qtpositioning
      qtquick3d
      qtsensors
      qtshadertools
      qtsvg
      qttools
      qtvehicleservices
      qtvirtualkeyboard
      qtwayland

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. QTQAINFRA-6637 Update provisioned qdoc, qtattributionsscanner to Qt 6.8.0

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          split from

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-122899 Generate SBOM from Qt build system

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • In Progress
          For Gerrit Dashboard: QTBUG-129602
          # Subject Branch Project Status CR V
          578553,44 CMake: Add PURL and CPE info to 3rd party attribution files dev qt/qtbase Status: MERGED +2 0
          604618,3 CMake: Add PURL and CPE info to 3rd party attribution files 6.8 qt/qtbase Status: MERGED +2 0

          Activity

            People

              qtbuildsystem Qt Build System Team
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes