Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129906

Consider making our SBOMs compliant with the German SBOM guideline

XMLWordPrintable

    • Icon: User Story User Story
    • Resolution: Unresolved
    • Icon: P2: Important P2: Important
    • None
    • None
    • Build System: CMake

      The german BSI published a Technical guidelines document on how to create SBOMs to be compliant with the CRA draft.

      https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2-2_0_0.pdf?__blob=publicationFile&v=3

      https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html

      Going through the document, this is a list of informal notes were we might not be compliant or have not been addressed yet:

      • component name should be the file name (is this super strictly required?), 
      • pure file names without paths not included
      • no sha512 checksum
      • whether a file is "structured"
      • potential 'LicenseRef-scancode-' refs to qt licenses,
        found scancode qt licenses
        https://scancode-licensedb.aboutcode.org/?search=qt
      • the whole concluded open source vs commercial license thing
      • potentially reproducible builds
      • potentially including info about code generators like qlalr, syncqt, python execution used to generate qml regex jit tables

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            qtbuildsystem Qt Build System Team
            alexandru.croitor Alexandru Croitor
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                There are no open Gerrit changes