Details
-
Task
-
Resolution: Fixed
-
P2: Important
-
None
-
None
-
52a64aca2 (dev), 057ef3e1d (6.9), 25d9a458b (6.8)
Description
Currently the Creator Person / Organization in REUSE-generated source sboms is Anonymous.
For example in $qt_installer/6.8.1/macos/sbom/qtbase-6.8.1.source.spdx
SPDXVersion: SPDX-2.1
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: qtbase
DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-c755b969-dc44-4507-a3b0-bad614c0a41c
Creator: Person: Anonymous ()
Creator: Organization: Anonymous ()
Creator: Tool: reuse-5.0.2
Created: 2024-11-20T15:49:31Z
CreatorComment: <text>This document was created automatically using available reuse information consistent with REUSE.</text>
Creator: Person: Anonymous () Creator: Organization: Anonymous ()
We should probably set it to the Organization as the one specified in the generated build SBOM.
SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: qtbase-6.8.1 DocumentNamespace: https://qt.io/spdxdocs/qtbase-6.8.1 Creator: Organization: TheQtCompany Creator: Tool: Qt Build System CreatorComment: <text>This SPDX document was created from CMake 3.30.5, using the qt build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text> Created: 2024-11-20T15:08:22Z
reuse accepts command line arguments for that
$ reuse spdx --help
Usage: reuse spdx [OPTIONS]
Generate an SPDX bill of materials.
Options:
-o, --output FILENAME File to write to.
--add-license-concluded Populate the LicenseConcluded field; note that
reuse cannot guarantee that the field is
accurate.
--creator-person TEXT Name of the person signing off on the SPDX
report.
--creator-organization TEXT Name of the organization signing off on the
SPDX report.
--help
The build system code should pass those when calling reuse, but only when targeting qt repos.
Attachments
Issue Links
- relates to
-
QTBUG-122899
Generate SBOM from Qt build system
-
- Closed
-