Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-133796

Use correct info for Creator Organization in REUSE-generated source SBOMs

    XMLWordPrintable

Details

    • 52a64aca2 (dev), 057ef3e1d (6.9), 25d9a458b (6.8)

    Description

      Currently the Creator Person / Organization in REUSE-generated source sboms is Anonymous.

      For example in $qt_installer/6.8.1/macos/sbom/qtbase-6.8.1.source.spdx

      SPDXVersion: SPDX-2.1
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: qtbase
DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-c755b969-dc44-4507-a3b0-bad614c0a41c
Creator: Person: Anonymous ()
Creator: Organization: Anonymous ()
Creator: Tool: reuse-5.0.2
Created: 2024-11-20T15:49:31Z
CreatorComment: <text>This document was created automatically using available reuse information consistent with REUSE.</text>

      Creator: Person: Anonymous ()
Creator: Organization: Anonymous ()

      We should probably set it to the Organization as the one specified in the generated build SBOM.

      SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: qtbase-6.8.1
DocumentNamespace: https://qt.io/spdxdocs/qtbase-6.8.1
Creator: Organization: TheQtCompany
Creator: Tool: Qt Build System
CreatorComment: <text>This SPDX document was created from CMake 3.30.5, using the qt
build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text>
Created: 2024-11-20T15:08:22Z

      reuse accepts command line arguments for that

      $ reuse spdx --help
Usage: reuse spdx [OPTIONS]

  Generate an SPDX bill of materials.

Options:
  -o, --output FILENAME        File to write to.
  --add-license-concluded      Populate the LicenseConcluded field; note that
                               reuse cannot guarantee that the field is
                               accurate.
  --creator-person TEXT        Name of the person signing off on the SPDX
                               report.
  --creator-organization TEXT  Name of the organization signing off on the
                               SPDX report.
  --help

      The build system code should pass those when calling reuse, but only when targeting qt repos.

      Attachments

        Issue Links

          relates to

          User Story - Created by Jira Software - do not edit or delete. Issue type for a user story. QTBUG-122899 Generate SBOM from Qt build system

          • P2: Important - Urgent, should be fixed, but will not stop the release.
          • Closed
          For Gerrit Dashboard: QTBUG-133796
          # Subject Branch Project Status CR V
          624823,2 CMake: Add project supplier to generated source SBOM dev qt/qtbase Status: MERGED +2 0
          625471,2 CMake: Add project supplier to generated source SBOM 6.9 qt/qtbase Status: MERGED +2 0
          625560,2 CMake: Add project supplier to generated source SBOM 6.8 qt/qtbase Status: MERGED +2 0

          Activity

            People

              alexandru.croitor Alexandru Croitor
              alexandru.croitor Alexandru Croitor
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes