Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129602

Annotate all qt_attribution.json files with CPE and PURL values

    XMLWordPrintable

Details

    • Task
    • Resolution: Unresolved
    • P2: Important
    • None
    • None
    • Build System: CMake, Documentation
    • None
    • 62d01b6bc (6.10), d6883b619 (6.10), 331c681fe (6.10), dc32953dd (6.10), 3eb183579 (6.9), 020473399 (6.9), d6642cd6f (6.9), 2e5fcb2a9 (6.10), b226d8793 (6.10), 7b253e40c (6.9), d52f12ea6 (6.9), 600ac9d15 (6.9), 5eb3a2221 (6.9), 1bc8ff9ee (6.9)

    Description

      All our 3rd party sources have (or should have) an accompanying qt_attribution.json file.

      To more easily track our 3rd party supply chain, we should add relevant CPE and PURL values to the qt_attribution.json files in all our repositories.

      What CPE and PURL means can be found at https://wiki.qt.io/SBOM#CPE_and_PURL_values_in_qt_attribution.json_files

      qtbase is handled via https://codereview.qt-project.org/c/qt/qtbase/+/578553

      We need to the same for the following repos:

      • qt3d attribution reference
      • qt5compat attribution reference
      • qtapplicationmanager attribution reference
      • qtconnectivity attribution reference
      • qtdeclarative attribution reference
      • qtgrpc attribution reference
      • qtimageformats attribution reference
      • qtinterfaceframework attribution reference
      • qtmultimedia attribution reference
      • qtopcua attribution reference
      • qtpositioning attribution reference
      • qtquick3d attribution reference
      • qtsensors attribution reference
      • qtshadertools attribution reference
      • qtsvg attribution reference
      • qttools attribution reference
      • qtvehicleservices attribution reference
      • qtvirtualkeyboard attribution reference
      • qtwayland attribution reference

      Attachments

        Issue Links

          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. QTQAINFRA-6637 Update provisioned qdoc, qtattributionsscanner to Qt 6.8.0

          • P1: Critical - Urgent and Important, will STOP the release if matched with set FixVersion field. This includes regressions from the last version that are not edge cases; Data loss; Build issues; Flaky tests; All but the most unlikely crashes/lockups/hanging; Serious usability issues and embarrassing bugs & Bugs critical to a deliverable. This is the highest possible priority for requirements.
          • Closed
          split from

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-122899 Generate SBOM from Qt build system

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          mentioned in

          Page Loading...

          For Gerrit Dashboard: QTBUG-129602
          # Subject Branch Project Status CR V
          650313,1 CMake: Create an SBOM package for the ifcodegen tool dev qt/qtinterfaceframework Status: NEW 0 +1
          650370,1 CMake: Add PURL and CPE info to 3rd party attribution files 6.10 qt/qtapplicationmanager Status: NEW +2 0
          650528,1 CMake: Add PURL and CPE info to 3rd party attribution files 6.9 qt/qtdeclarative Status: NEW 0 0
          650535,1 CMake: Add PURL and CPE info to 3rd party attribution files tqtc/lts-6.8 qt/tqtc-qtmultimedia Status: NEW 0 0

          Activity

            People

              qtbuildsystem Qt Build System Team
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are 4 open Gerrit changes