Software Bill of Materials

A Software Bill of Materials (SBOM) document is a declaration of installed files, copyrights, licenses, versions, source repositories, and other relevant information about a Qt installation. The SBOM documents facilitate supply chain management by sharing component information to Qt users and other interested parties. Qt's SBOM documents are especially useful for license compliance and security vulnerability management.

Starting from Qt 6.8, Qt's build system can generate SBOM documents tailored for different platforms and build configurations. The Qt Online Installer places the SBOM documents in an sbom directory located in the installation directory of the respective Qt version. For example, for the Qt 6.8.1 Android arm64-v8a installation, the SBOM documents are at:

 <INSTALL_DIR>/6.8.1/android_arm64_v8a/sbom/

To generate SBOM documents from the Qt sources yourself, set -sbom as a configure option.

For example, during the configure step:

 ./configure  -sbom

Generation of SBOM documents then becomes a part of the regular Qt installation:

 ninja install
 cmake --install .

In Qt 6.8, this build process creates SBOM documents in JSON and tag:value format as specified by the SPDX format.

See Building Qt Sources and Qt Configure Options for more information about the Qt build procedure.

For Qt developers and maintainers, the SBOM Wiki has specific information for creating SBOM documents.

SPDX Format

The SBOM documents are in SPDX 2.3 format. A document begins with information about the Qt module. SPDX packages follow as separate entries.

For a Qt installation, an SPDX package may be a:

An SPDX package typically contains at least:

  • Package name, version, supplier name, and build information
  • Qt License Attribution - a Qt product may be under different commercial or open source licenses. For example, a package may list several concluded licenses:
     LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
    

    The Qt Licensing has more information about licensing options.

  • Copyright notices - SBOM documents include Qt source copyrights and copyrights from third-party sources or authors.
  • CPE (Common Platform Enumeration) - a naming scheme for package identification. For Qt, the SBOM CPE format is typically:
     cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>
    

    An example identifier for a Qt Network Authorization package is:

     cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
    

    For more information, see CPE Specification page.

  • PURL (Package URL) - an alternative to CPE, PURL is an identifier scheme that uses the following format:
     scheme:type/namespace/name@version?qualifiers#subpath
    

    An example PURL for a package is:

     pkg:generic/TheQtCompany/qtnetworkauth@6.8.0
    

    For more information, Package URL page.

  • Package relationships between packages such as dependencies.

    For example, the DEPENDS_ON for listing a dependency relationship. Refer to Clause 11 of the SPDX 2.3 for a list of valid relationship types.

Third-party SPDX Packages

An SPDX package for a third-party component typically contains at least:

  • Name, version, and description
  • Homepage and download location
  • Usage in Qt
  • License and copyright information
  • Whether the component is security critical - the code may process untrusted code

SBOM Example

The following is an example of an SBOM document for the Qt Network Authorization module. The SBOM filename is qtnetworkauth-6.8.0.spdx and is in the installation's sbom directory. Note that the SBOM document contains several other packages not listed in the following example.

 SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: qtnetworkauth-6.8.0
 DocumentNamespace: https://qt.io/spdxdocs/qtnetworkauth-6.8.0
 Creator: Organization: TheQtCompany
 Creator: Tool: Qt Build System
 CreatorComment: <text>This SPDX document was created from CMake 3.27.7, using the qt
 build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text>
 Created: 2024-09-19T11:07:23Z
 ExternalDocumentRef: DocumentRef-qtbase https://qt.io/spdxdocs/qtbase-6.8.0 SHA1: 3dbc51259a07d458524a976da2e9607a76fab7e7

 PackageName: NetworkAuth
 SPDXID: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth
 PackageDownloadLocation: git://code.qt.io/qt/qtnetworkauth.git
 PackageVersion: 6.8.0
 PackageSupplier: Organization: TheQtCompany
 PackageLicenseConcluded: LicenseRef-Qt-Commercial OR GPL-3.0-only
 PackageLicenseDeclared: LicenseRef-Qt-Commercial OR GPL-3.0-only
 ExternalRef: PACKAGE-MANAGER purl pkg:github/qt/qtnetworkauth?library_name=NetworkAuth#src/oauth
 ExternalRef: PACKAGE-MANAGER purl pkg:generic/TheQtCompany/qtnetworkauth-NetworkAuth?vcs_url=https://code.qt.io/qt/qtnetworkauth.git&library_name=NetworkAuth#src/oauth
 FilesAnalyzed: true
 PackageCopyrightText: <text>Copyright (C) 2024 The Qt Company Ltd.</text>
 PrimaryPackagePurpose: LIBRARY
 ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
 ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qt:6.8.0:*:*:*:*:*:*:*
 Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Core
 Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-PlatformModuleInternal
 Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Gui
 Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Network
 Relationship: SPDXRef-Package-qtnetworkauth CONTAINS SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth