While working on the SBOM for Qt Creator and Qt Design studio, I encountered some points that could be improved:
https://codereview.qt-project.org/c/qt-creator/qt-creator/+/615674/42//COMMIT_MSG#13

Keeping them here so as to not forget them.

• Non-intuitive behavior, that a target file is not added to the SBOM when it's created in the same directory as the qt_sbom_project_end() call,
  because the target is finalized after sbom_end() has been called,
  consider adding a check for this in a finalizer in Qt itself if possible.

• Need to come up with a way to reference sbom directories for
  standalone plugin build case, without having to specify
  QT_ADDITIONAL_SBOM_DOCUMENT_PATHS explicitly, so we need to 'save' the
  info somehow like we do for qt sbom paths. Perhaps by exporting some target
  properties to carry the info and match it back to the Foo_DIR var of the originating package.

• Consider creating minimal sbom packages for targets that are not sbom-aware. We can't provide any meaningful data for them, but at least other targets that depend on them via target_link_libraries will have them as dependencies in the sbom, and can thus signal 'unknown' extra deps.

• Consider providing a Qt6Sbom.config package, which can be manually looked up via find_package(), without Qt6, so that it can be used arch-independently for any target arch triplet. One use case is Creator's wininterrupt and cdb extension projects, which build for 32/64/arm/intel arches, and the find_package(Qt6) fails due to arch mismatch.

• _qt_internal_sbom_begin_project -> _qt_internal_sbom_compute_project_file_name(VERSION_SUFFIX "${non_git_version}") is unset for non qt-repos when USE_GIT_VERSION is used, because we assign non_git_version from QT_REPO_MODULE_VERSION, which is unset.

• _qt_internal_sbom_begin_project -> _qt_internal_sbom_begin_project_generate() call should have all its options forwarded only if set, to avoid CMake 4.x policy CMP0174 warnings

• Add a way to override the 'using the qt build system from' message that is embedded into spdx doc. Use case is forked version used in Qt for MCU.

• Add a way to pass license dirs to _qt_internal_sbom_begin_project via an option, rather than QT_SBOM_LICENSE_DIRS dir. Seen in Creator.

• Both Qt SBOM and Creator SBOM should have their vars like LICENSE_EXPRESSION and DEFAULT_LICENSE_EXPRESSION renamed or reconciled to make it clear which applies to the project package, and which to each target package. Repeats for copyrights, and version.

• Reconcile between VCS_URL_BASE and DOWNLOAD_LOCATION, one is ssh repo, one is https, but they seem reversed. Seen in qtc_sbom_begin_project.

• Calling _qt_internal_extend_sbom on a bare library created via add_library will fail configuration if no TYPE is added. Using LIBRARY type might not be desirable if the library is never installed. Encountered in qt3d. Might be useful to provide a LIBRARY_WITHOUT_FILES type, and same for other target types.

• SBOM doesn't properly generate if configuring a user project with an empty CMAKE_BUILD_TYPE, the files are missing.

• TYPE option should be renamed to a more specific SBOM_ENTITY_TYPE to allow easier forwarding of the type from a public API, and to align with Creator