A Software Bill of Materials (SBOM) document is a declaration of installed files, copyrights, licenses, versions, source repositories, and other relevant information about a Qt installation. The SBOM documents facilitate supply chain management by sharing component information to Qt users and other interested parties. Qt's SBOM documents are especially useful for license compliance and security vulnerability management.
Starting from Qt 6.8, Qt's build system can generate SBOM documents tailored for different platforms and build configurations. The
Qt 在线安装程序
places the SBOM documents in an
sbom
directory located in the installation directory of the respective Qt version. For example, for the Qt 6.8.5 Android arm64-v8a installation, the SBOM documents are at:
<INSTALL_DIR>/6.8.5/android_arm64_v8a/sbom/
To generate SBOM documents from the Qt sources yourself, set
-sbom
作为
configure
选项。
For example, during the configure step:
./configure -sbom
Generation of SBOM documents then becomes a part of the regular Qt installation:
ninja install cmake --install .
In Qt 6.8, this build process creates SBOM documents in JSON and
tag:value
format as specified by the
SPDX
格式。
见 构建 Qt 源 and Qt 配置选项 for more information about the Qt build procedure.
For Qt developers and maintainers, the SBOM Wiki has specific information for creating SBOM documents.
The SBOM documents are in SPDX 2.3 format. A document begins with information about the Qt module. SPDX packages follow as separate entries.
For a Qt installation, an SPDX package may be a:
An SPDX package typically contains at least:
LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
The Qt 许可 has more information about licensing options.
cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
An example identifier for a Qt Network Authorization package is:
cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
更多信息,见 CPE Specification 页面。
scheme:type/namespace/name@version?qualifiers#subpath
An example PURL for a package is:
pkg:generic/TheQtCompany/qtnetworkauth@6.8.0
For more information, Package URL 页面。
例如,
DEPENDS_ON
for listing a dependency relationship. Refer to Clause 11 of the
SPDX 2.3
for a list of valid relationship types.
An SPDX package for a third-party component typically contains at least:
The following is an example of an SBOM document for the
Qt Network Authorization
module. The SBOM filename is
qtnetworkauth-6.8.0.spdx
and is in the installation's
sbom
directory. Note that the SBOM document contains several other packages not listed in the following example.
SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: qtnetworkauth-6.8.0 DocumentNamespace: https://qt.io/spdxdocs/qtnetworkauth-6.8.0 Creator: Organization: TheQtCompany Creator: Tool: Qt Build System CreatorComment: <text>This SPDX document was created from CMake 3.27.7, using the qt build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text> Created: 2024-09-19T11:07:23Z ExternalDocumentRef: DocumentRef-qtbase https://qt.io/spdxdocs/qtbase-6.8.0 SHA1: 3dbc51259a07d458524a976da2e9607a76fab7e7 PackageName: NetworkAuth SPDXID: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth PackageDownloadLocation: git://code.qt.io/qt/qtnetworkauth.git PackageVersion: 6.8.0 PackageSupplier: Organization: TheQtCompany PackageLicenseConcluded: LicenseRef-Qt-Commercial OR GPL-3.0-only PackageLicenseDeclared: LicenseRef-Qt-Commercial OR GPL-3.0-only ExternalRef: PACKAGE-MANAGER purl pkg:github/qt/qtnetworkauth?library_name=NetworkAuth#src/oauth ExternalRef: PACKAGE-MANAGER purl pkg:generic/TheQtCompany/qtnetworkauth-NetworkAuth?vcs_url=https://code.qt.io/qt/qtnetworkauth.git&library_name=NetworkAuth#src/oauth FilesAnalyzed: true PackageCopyrightText: <text>Copyright (C) 2024 The Qt Company Ltd.</text> PrimaryPackagePurpose: LIBRARY ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:* ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qt:6.8.0:*:*:*:*:*:*:* Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Core Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-PlatformModuleInternal Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Gui Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Network Relationship: SPDXRef-Package-qtnetworkauth CONTAINS SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth
Boot to Qt uses the meta-qt6 layer to build all Qt modules and the generated SBOM documents are available as SPDX files when installing Boot to Qt through the Qt 在线安装程序 . The install path depends on the Qt version and the target hardware.
For example, for the Raspberry Pi target, the SBOM .spdx documents are at:
<INSTALL_DIR>/6.8.5/Boot2Qt/raspberrypi-armv8/toolchain/sysroots/cortexa53-poky-linux/usr/lib/sbom/
For more information, visit the following pages:
