Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
None
-
6.8
-
7b639eabc (dev), cecff9ec4 (dev), 83521f665 (6.8), 0577c450b (6.8)
Description
We have conducted a cross-check of third party components in the Qt 6.8 SBOM and documentation ([Third-Party Code Used in Qt | Qt 6.8|https://doc.qt.io/qt-6/licenses-used-in-qt.html]).
Method
The review was done manually by searching the SBOM spdx files for all the third party components presented in the Qt 6.8 documentation (source above). Search expressions used: the component name, the source code file name, component version number, names of authors and licenses. Matches were validated against all the provided information on the component documentation, i.e. cluster of search expressions. Components were mapped to spdx files they are located in.
Findings
We found deficiencies in the SBOM coverage of third party components. Results can be found here: Third party components_SBOM_mapping.xlsx
Major deficiencies are in Qt Wayland Compositor and Qt WebEngine. There already exists a bug about Qt WebEngine and its third party components: QTBUG-131377 Include Chromium in SBOM - Qt Bug Tracker.
Next steps
Inconsistencies between documentation and SBOM content should be addressed by either updating documentation or assessing problems with SBOM generation.
/
This task is a refininement of a CRA backlog item:
Expand SBOM structure to include all third-party components, for example Chromium in Qt Framework, to a feasible depth. The SBOM should provide the information required to identify potential known vulnerabilities in third-party components. The CRA minimum requirement is a top-level SBOM.
Outcome
SBOMs cover all third party components on a targeted level, at the very least top-level depedencies.
Reasoning
The CRA requires that Qt produce a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies for each product. The CRA's key purpose of the SBOM is to enable Qt to ensure that its products do not contain vulnerable components developed by third parties. It is thus of utmost importance that the SBOM covers all third-party components in the product, at the very least on a top-level.
CRA reference
Section 77
OWASP SAMM reference
Implementation business function:
Secure Build practice includes activities such as keeping a record of all dependencies and including at least the following information:
- where it is used or referenced
- version used
- license
- source information (link to repository, author's name, etc.)
- support and maintenance status of the dependency.
Attachments
Issue Links
- relates to
-
-
- Closed
-
- mentioned in
-
Page Loading...
| For Gerrit Dashboard: QTBUG-131477 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 608611,2 | CMake: Add imgui attribution to SBOM | 6.8 | qt/qt3d | Status: MERGED | +2 | 0 |
| 608623,5 | CMake: Add missing SBOM attribution entries | dev | qt/qtbase | Status: MERGED | +2 | 0 |
| 608631,2 | CMake: Add imgui attribution to SBOM | dev | qt/qt3d | Status: MERGED | +2 | 0 |
| 608722,2 | CMake: Add missing SBOM attribution entries | 6.8 | qt/qtbase | Status: MERGED | +2 | 0 |