Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-129906

Consider making our SBOMs compliant with the German SBOM guideline

    XMLWordPrintable

Details

    • User Story
    • Resolution: Unresolved
    • P2: Important
    • None
    • None
    • Build System: CMake
    • None

    Description

      The german BSI published a Technical guidelines document on how to create SBOMs to be compliant with the CRA draft.

      https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2-2_0_0.pdf?__blob=publicationFile&v=3

      https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html

      Going through the document, this is a list of informal notes were we might not be compliant or have not been addressed yet:

      • component name should be the file name (is this super strictly required?), 
      • pure file names without paths not included
      • no sha512 checksum
      • whether a file is "structured"
      • potential 'LicenseRef-scancode-' refs to qt licenses,
        found scancode qt licenses
        https://scancode-licensedb.aboutcode.org/?search=qt
      • the whole concluded open source vs commercial license thing
      • potentially reproducible builds
      • potentially including info about code generators like qlalr, syncqt, python execution used to generate qml regex jit tables

      Attachments

        Issue Links

          split from

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-122899 Generate SBOM from Qt build system

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • In Progress
          split to

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-131281 Provide SBOM information for tools used during Qt build

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Open
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              qtbuildsystem Qt Build System Team
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:

                Gerrit Reviews

                  There are no open Gerrit changes