Details
-
Task
-
Resolution: Unresolved
-
P3: Somewhat important
-
None
-
None
-
None
Description
According to https://wiki.qt.io/SBOM#System_library_processing:
Currently, aside from the initial version that was found for the first call of find_package(systemlibrary), we don't persist other SBOM information for further lookups when configuring other repositories.
Things we might want to persist aside from the version, is regular info like copyrights and licenses.
But our Find scripts don't usually provide that info.
We'd have to annotate it, similar to qt_attribution.json files.
It's also possible that the exact license and copyright is different between different versions, so the information might not be exact.
We also don't differentiate between the cases when one system library is used during a build of one repo, but a different version of it might be used for building a subsequent repo or user project.
This is relevant for both shared and static libraries, but in different ways.
For shared libraries, at application runtime a different shared library version might be found compared to the one found during the build. The build SBOM can't really detect afaik.
For static libraries, a different library version might be used during the final application linkage, compared to the one that was used during the Qt build.
Attachments
Issue Links
- split from
-
QTBUG-122899
Generate SBOM from Qt build system
-
- In Progress
-