Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-131477

Review SBOM generation and documentation to include third party components

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • P1: Critical
    • None
    • 6.8
    • Other
    • 7b639eabc (dev), cecff9ec4 (dev), 83521f665 (6.8), 0577c450b (6.8)

    Description

      We have conducted a cross-check of third party components in the Qt 6.8 SBOM and documentation ([Third-Party Code Used in Qt | Qt 6.8|https://doc.qt.io/qt-6/licenses-used-in-qt.html]).

       

      Method

      The review was done manually by searching the SBOM spdx files for all the third party components presented in the Qt 6.8 documentation (source above). Search expressions used: the component name, the source code file name, component version number, names of authors and licenses. Matches were validated against all the provided information on the component documentation, i.e. cluster of search expressions. Components were mapped to spdx files they are located in.

       

      Findings

      We found deficiencies in the SBOM coverage of third party components. Results can be found here: Third party components_SBOM_mapping.xlsx

      Major deficiencies are in Qt Wayland Compositor and Qt WebEngine. There already exists a bug about Qt WebEngine and its third party components: QTBUG-131377 Include Chromium in SBOM - Qt Bug Tracker. 

       

      Next steps

      Inconsistencies between documentation and SBOM content should be addressed by either updating documentation or assessing problems with SBOM generation.

       

       

      This task is a refininement of a CRA backlog item:

      Expand SBOM structure to include all third-party components, for example Chromium in Qt Framework, to a feasible depth. The SBOM should provide the information required to identify potential known vulnerabilities in third-party components. The CRA minimum requirement is a top-level SBOM.

      Outcome

      SBOMs cover all third party components on a targeted level, at the very least top-level depedencies.

       

      Reasoning

      The CRA requires that Qt produce a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies for each product. The CRA's key purpose of the SBOM is to enable Qt to ensure that its products do not contain vulnerable components developed by third parties. It is thus of utmost importance that the SBOM covers all third-party components in the product, at the very least on a top-level.

       

      CRA reference

      Section 77

       

      OWASP SAMM reference

      Implementation business function:
      Secure Build practice includes activities such as keeping a record of all dependencies and including at least the following information:

      • where it is used or referenced
      • version used
      • license
      • source information (link to repository, author's name, etc.)
      • support and maintenance status of the dependency.

      Attachments

        Issue Links

          For Gerrit Dashboard: QTBUG-131477
          # Subject Branch Project Status CR V

          Activity

            People

              alexandru.croitor Alexandru Croitor
              elri Ella Rinnemaa
              Petri Maanonen Petri Maanonen
              Kai Köhne Kai Köhne
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes