| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds initial Cyclone DX v1.6 SBOM generation support for
CMake-based Qt projects.
Cyclone DX generation is enabled by default for all Qt repos, as long
as the required Python dependencies are found.
If needed, it can be explicitly enabled by configuring the qt repo
project with:
-sbom -sbom-cyclonedx-v1_6
or a generic CMake project with
-DQT_GENERATE_SBOM=ON -DQT_SBOM_GENERATE_CYDX_V1_6=ON.
Disabling can be done with
-no-sbom-cyclonedx-v1_6
or
-DQT_SBOM_GENERATE_CYDX_V1_6=OFF
respectively.
Note that if the required python dependencies are not found,
the generation will be silently skipped. To ensure cmake
configuration fails if SBOM dependencies are missing, pass:
-sbom-cyclonedx-v1_6-required
or
-DQT_SBOM_REQUIRE_GENERATE_CYDX_V1_6=ON
To ensure the generated document is valid according to the Cyclone DX
schema, pass:
-sbom-cyclonedx-v1_6-verify-required
or
-DQT_SBOM_REQUIRE_VERIFY_CYDX_V1_6=ON
Cyclone DX generation requires a Python 3.9 interpreter in PATH and
the `cyclonedx-python-lib` and 'tomli' Python packages to be
installed.
The packages can be installed via pip:
pip install 'cyclonedx-python-lib[json-validation]' tomli
ideally in a Python virtual environment.
If using Python 3.11, tomli is not required.
If using Python 3.9 or 3.10, and pip is available, the code will try
to use the toml library bundled with pip, in which case `tomli` is
not required to be installed separately.
Generated Cyclone DX documents are installed in the same `sbom`
directory under the prefix.
For example when building and installing qtbase, the generated Cyclone
DX document will be installed to:
$qt_prefix/sbom/qtbase-$version.cdx.json
The commit title mentions "minimal" Cyclone DX support.
Minimal support means that not all features of the equivalent SPDX
generation are implemented.
List of implemented features:
- CMake target information included as Cyclone DX components with
information like name, version, supplier, download location, CPE
and PURL
- attribution information
- license information (ids and texts, without OR/AND structure)
- dependencies between components in the same document
- dependencies between components in different documents
List of missing features:
- partial license information (pending v1.7 spec support, currently
any license expression with a LicenseRef- has its structure lost,
so OR and AND gets removed, and the result is just a flat list
of license ids and texts)
- binary file, source file, and custom file information (unclear if
there's a good way to represent these in the spec)
- checksums for components, files and sbom documents (also unclear
how to represent, because the spec has a 'hashes' key, but it
doesn't say what does it apply to)
- relationship information (the Cyclone DX spec doesn't support
relationships like DEPENDS_ON or CONTAINS, only dependencies)
- detailed component types (only application and library are
supported currently)
- custom added relationship / dependency info
- qtwebengine / Chromium enablers
- probably other things
Implementation details.
Cyclone DX doesn't have a tag:value format like SPDX v2.3, so there
isn't an easy way to generate Cyclone DX directly in CMake.
Instead, an intermediate TOML file is generated in CMake, which is
then fed to a custom Python script that generates the final Cyclone
DX document in JSON format. TOML is a much easier format to generate
in CMake compared to JSON, and is easy to read for humans and to parse
in Python.
Note that some of the TOML fields are wrapped in literal multi-line
strings aka ''' foo ''' rather than non-literal ones, aka
""" foo """. That's to avoid the need for escaping backslashes for
content like configure arguments in the description field (Windows is
notorious for trailing backslashes in paths).
The python script is located in
util/sbom/cyclonedx/qt_cyclonedx_generator. It is installed
into $qt_prefix/libexec so it can be used for other qt repos and
projects.
Development of the script is done using the `uv` tool and a
pyproject.toml project, but `uv` is not required for installation and
usage of the script itself.
The script parses the TOML file and serializes the Cyclone DX document
into the JSON format, while also syntactically validating it.
Cyclone DX and SPDX differences.
Cyclone DX has the concept of `bom-ref` which is similar to SPDX IDs
and SPDX references.
We reuse the SPDX ids like SPDXRef-Package-Foo as bom-refs to allow
cross-referencing between repo BOM documents, but it also allows
easier comparison with the SPDX documents.
SPDX mostly operates on the concept of packages and files, whereas
Cyclone DX uses components. We map CMake targets to Cyclone DX
components.
CycloneDX has one notable difference to SPDX. External dependencies
whose full BOM is located in a different document, must still be
represented as components in the current document, but with an
external BOM link, which is why we need to track such components.
This is achieved by exporting the spdx id, bom serial number, etc as
CMake target properties, to then partially recreate the components in
the currently processed document.
Note that the QT_GENERATE_SBOM option is now a main toggle for
SBOM generation, instead of being specific to SPDX generation.
Various other variables that were SPDX v2.3 specific but had generic
names have been deprecated, and new ones introduced to make it clearer
that they are SPDX specific, and to allow further evolution for SPDX
v3 and Cyclone DX 1.7 while being backwards compatible.
Adjusted tests to generate SPDX and Cyclone DX SBOMs together,
separately, or not at all. And to check for the existence of the
installed sbom files. As well as the computed generation
options in case dependencies are missing.
[ChangeLog][Build System] A new -sbom-cyclonedx-v1_6 configure option
can be used to generate and install a CycloneDX v1.6 SBOM (Software
Bill of Materials) file for each built Qt repository.
Task-number: QTBUG-129598
Change-Id: If20a45083a70b01668f52023053b75f520129381
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
|
