Software Bill of Materials
A Software Bill of Materials (SBOM) document is a declaration of installed files, copyrights, licenses, versions, source repositories, and other relevant information about a Qt installation. The SBOM documents facilitate supply chain management by sharing component information to Qt users and other interested parties. Qt's SBOM documents are especially useful for license compliance and security vulnerability management.
Starting from Qt 6.8, Qt's build system can generate SBOM documents tailored for different platforms and build configurations. The Qt Online Installer places the SBOM documents in an sbom
directory located in the installation directory of the respective Qt version. For example, for the Qt 6.8.1 Android arm64-v8a installation, the SBOM documents are at:
<INSTALL_DIR>/6.8.1/android_arm64_v8a/sbom/
To generate SBOM documents from the Qt sources yourself, set -sbom
as a configure option.
For example, during the configure step:
./configure -sbom
Generation of SBOM documents then becomes a part of the regular Qt installation:
ninja install cmake --install .
In Qt 6.8, this build process creates SBOM documents in JSON and tag:value
format as specified by the SPDX format.
See Building Qt Sources and Qt Configure Options for more information about the Qt build procedure.
For Qt developers and maintainers, the SBOM Wiki has specific information for creating SBOM documents.
SPDX Format
The SBOM documents are in SPDX 2.3 format. A document begins with information about the Qt module. SPDX packages follow as separate entries.
For a Qt installation, an SPDX package may be a:
- Qt module
- Qt plugin - for example, platform plugins
- Qt tool - for example, moc
- Qt application - for example, Qt Designer
- Third-party component - see Third-Party Code Used in Qt
- System library dependency - Qt Configure Options
An SPDX package typically contains at least:
- Package name, version, supplier name, and build information
- Qt License Attribution - a Qt product may be under different commercial or open source licenses. For example, a package may list several concluded licenses:
LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
The Qt Licensing has more information about licensing options.
- Copyright notices - SBOM documents include Qt source copyrights and copyrights from third-party sources or authors.
- CPE (Common Platform Enumeration) - a naming scheme for package identification. For Qt, the SBOM CPE format is typically:
cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
An example identifier for a Qt Network Authorization package is:
cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
For more information, see CPE Specification page.
- PURL (Package URL) - an alternative to CPE, PURL is an identifier scheme that uses the following format:
scheme:type/namespace/name@version?qualifiers#subpath
An example PURL for a package is:
pkg:generic/TheQtCompany/qtnetworkauth@6.8.0
For more information, Package URL page.
- Package relationships between packages such as dependencies.
For example, the
DEPENDS_ON
for listing a dependency relationship. Refer to Clause 11 of the SPDX 2.3 for a list of valid relationship types.
Third-party SPDX Packages
An SPDX package for a third-party component typically contains at least:
- Name, version, and description
- Homepage and download location
- Usage in Qt
- License and copyright information
- Whether the component is security critical - the code may process untrusted code
SBOM Example
The following is an example of an SBOM document for the Qt Network Authorization module. The SBOM filename is qtnetworkauth-6.8.0.spdx
and is in the installation's sbom
directory. Note that the SBOM document contains several other packages not listed in the following example.
SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: qtnetworkauth-6.8.0 DocumentNamespace: https://qt.io/spdxdocs/qtnetworkauth-6.8.0 Creator: Organization: TheQtCompany Creator: Tool: Qt Build System CreatorComment: <text>This SPDX document was created from CMake 3.27.7, using the qt build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text> Created: 2024-09-19T11:07:23Z ExternalDocumentRef: DocumentRef-qtbase https://qt.io/spdxdocs/qtbase-6.8.0 SHA1: 3dbc51259a07d458524a976da2e9607a76fab7e7 PackageName: NetworkAuth SPDXID: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth PackageDownloadLocation: git://code.qt.io/qt/qtnetworkauth.git PackageVersion: 6.8.0 PackageSupplier: Organization: TheQtCompany PackageLicenseConcluded: LicenseRef-Qt-Commercial OR GPL-3.0-only PackageLicenseDeclared: LicenseRef-Qt-Commercial OR GPL-3.0-only ExternalRef: PACKAGE-MANAGER purl pkg:github/qt/qtnetworkauth?library_name=NetworkAuth#src/oauth ExternalRef: PACKAGE-MANAGER purl pkg:generic/TheQtCompany/qtnetworkauth-NetworkAuth?vcs_url=https://code.qt.io/qt/qtnetworkauth.git&library_name=NetworkAuth#src/oauth FilesAnalyzed: true PackageCopyrightText: <text>Copyright (C) 2024 The Qt Company Ltd.</text> PrimaryPackagePurpose: LIBRARY ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:* ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qt:6.8.0:*:*:*:*:*:*:* Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Core Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-PlatformModuleInternal Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Gui Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Network Relationship: SPDXRef-Package-qtnetworkauth CONTAINS SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth
Related Topics
- SPDX 2.3
- Qt Wiki - SBOM - generating SBOM documents from Qt sources
- Third-Party Code Used in Qt