Chromium is missing from the Qt 6.8 SBOM. SBOM should cover all Qt WebEngine third party components, including Chroumium. 

This task was identified as part of the CRA compliance assessment:

Expand SBOM structure to include all third-party components, for example Chromium in Qt Framework, to a feasible depth. The SBOM should provide the information required to identify potential known vulnerabilities in third-party components. The CRA minimum requirement is a top-level SBOM.

Outcome

SBOMs cover Chromium.

Reasoning

The CRA requires that Qt produce a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies for each product. The CRA's key purpose of the SBOM is to enable Qt to ensure that its products do not contain vulnerable components developed by third parties. It is thus of utmost importance that the SBOM covers all third-party components in the product, at the very least on a top-level.

CRA Reference

Section 77

OWASP SAMM reference

Implementation business function:
Secure Build practice includes activities such as keeping a record of all dependencies and including at least the following information:

• where it is used or referenced
• version used
• license
• source information (link to repository, author's name, etc.)
• support and maintenance status of the dependency.