Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129605

Revisit how we handle system libraries when adding their information to the build SBOM

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Unresolved
    • Icon: P3: Somewhat important P3: Somewhat important
    • None
    • None
    • Build System: CMake

      According to https://wiki.qt.io/SBOM#System_library_processing:

      Currently, aside from the initial version that was found for the first call of find_package(systemlibrary), we don't persist other SBOM information for further lookups when configuring other repositories.

      Things we might want to persist aside from the version, is regular info like copyrights and licenses.
      But our Find scripts don't usually provide that info.
      We'd have to annotate it, similar to qt_attribution.json files.
      It's also possible that the exact license and copyright is different between different versions, so the information might not be exact.

      We also don't differentiate between the cases when one system library is used during a build of one repo, but a different version of it might be used for building a subsequent repo or user project.

      This is relevant for both shared and static libraries, but in different ways.

      For shared libraries, at application runtime a different shared library version might be found compared to the one found during the build. The build SBOM can't really detect afaik.

      For static libraries, a different library version might be used during the final application linkage, compared to the one that was used during the Qt build.

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            qtbuildsystem Qt Build System Team
            alexandru.croitor Alexandru Croitor
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                There are no open Gerrit changes