Details
-
Task
-
Resolution: Unresolved
-
P3: Somewhat important
-
None
-
None
-
None
Description
While working on the SBOM for Qt Creator and Qt Design studio, I encountered some points that could be improved:
https://codereview.qt-project.org/c/qt-creator/qt-creator/+/615674/42//COMMIT_MSG#13
Keeping them here so as to not forget them.
- Non-intuitive behavior, that a target file is not added to the SBOM when it's created in the same directory as the qt_sbom_project_end() call,
because the target is finalized after sbom_end() has been called,
consider adding a check for this in a finalizer in Qt itself if possible.
- Need to come up with a way to reference sbom directories for
standalone plugin build case, without having to specify
QT_ADDITIONAL_SBOM_DOCUMENT_PATHS explicitly, so we need to 'save' the
info somehow like we do for qt sbom paths. Perhaps by exporting some target
properties to carry the info and match it back to the Foo_DIR var of the originating package.
- Consider creating minimal sbom packages for targets that are not sbom-aware. We can't provide any meaningful data for them, but at least other targets that depend on them via target_link_libraries will have them as dependencies in the sbom, and can thus signal 'unknown' extra deps.
Attachments
Issue Links
- relates to
-
QTBUG-129609
Provide a public CMake API for user projects to generate an SBOM
-
- In Progress
-
- split from
-
QTBUG-122899
Generate SBOM from Qt build system
-
- Closed
-