Software Bill of Materials

A Software Bill of Materials (SBOM) document is a declaration of installed files, copyrights, licenses, versions, source repositories, and other relevant information about a Qt installation. The SBOM documents facilitate supply chain management by sharing component information to Qt users and other interested parties. Qt's SBOM documents are especially useful for license compliance and security vulnerability management.

Starting from Qt 6.8, Qt's build system can generate SBOM documents tailored for different platforms and build configurations. The Qt Online Installer places the SBOM documents in an sbom directory located in the installation directory of the respective Qt version. For example, for the Qt 6.8.1 Android arm64-v8a installation, the SBOM documents are at:

<INSTALL_DIR>/6.8.1/android_arm64_v8a/sbom/

To generate SBOM documents from the Qt sources yourself, set -sbom as a configure option.

For example, during the configure step:

./configure  -sbom

Generation of SBOM documents then becomes a part of the regular Qt installation:

ninja install
cmake --install .

In Qt 6.8, this build process creates SBOM documents in JSON and tag:value format as specified by the SPDX format.

See Building Qt Sources and Qt Configure Options for more information about the Qt build procedure.

For Qt developers and maintainers, the SBOM Wiki has specific information for creating SBOM documents.

SPDX Format

The SBOM documents are in SPDX 2.3 format. A document begins with information about the Qt module. SPDX packages follow as separate entries.

For a Qt installation, an SPDX package may be a:

An SPDX package typically contains at least:

  • Package name, version, supplier name, and build information
  • Qt License Attribution - a Qt product may be under different commercial or open source licenses. For example, a package may list several concluded licenses:
    LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only

    The Qt Licensing has more information about licensing options.

  • Copyright notices - SBOM documents include Qt source copyrights and copyrights from third-party sources or authors.
  • CPE (Common Platform Enumeration) - a naming scheme for package identification. For Qt, the SBOM CPE format is typically:
    cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

    An example identifier for a Qt Network Authorization package is:

    cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*

    For more information, see CPE Specification page.

  • PURL (Package URL) - an alternative to CPE, PURL is an identifier scheme that uses the following format:
    scheme:type/namespace/name@version?qualifiers#subpath

    An example PURL for a package is:

    pkg:generic/TheQtCompany/qtnetworkauth@6.8.0

    For more information, Package URL page.

  • Package relationships between packages such as dependencies.

    For example, the DEPENDS_ON for listing a dependency relationship. Refer to Clause 11 of the SPDX 2.3 for a list of valid relationship types.

Third-party SPDX Packages

An SPDX package for a third-party component typically contains at least:

  • Name, version, and description
  • Homepage and download location
  • Usage in Qt
  • License and copyright information
  • Whether the component is security critical - the code may process untrusted code

SBOM Example

The following is an example of an SBOM document for the Qt Network Authorization module. The SBOM filename is qtnetworkauth-6.8.0.spdx and is in the installation's sbom directory. Note that the SBOM document contains several other packages not listed in the following example.

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: qtnetworkauth-6.8.0
DocumentNamespace: https://qt.io/spdxdocs/qtnetworkauth-6.8.0
Creator: Organization: TheQtCompany
Creator: Tool: Qt Build System
CreatorComment: <text>This SPDX document was created from CMake 3.27.7, using the qt
build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text>
Created: 2024-09-19T11:07:23Z
ExternalDocumentRef: DocumentRef-qtbase https://qt.io/spdxdocs/qtbase-6.8.0 SHA1: 3dbc51259a07d458524a976da2e9607a76fab7e7

PackageName: NetworkAuth
SPDXID: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth
PackageDownloadLocation: git://code.qt.io/qt/qtnetworkauth.git
PackageVersion: 6.8.0
PackageSupplier: Organization: TheQtCompany
PackageLicenseConcluded: LicenseRef-Qt-Commercial OR GPL-3.0-only
PackageLicenseDeclared: LicenseRef-Qt-Commercial OR GPL-3.0-only
ExternalRef: PACKAGE-MANAGER purl pkg:github/qt/qtnetworkauth?library_name=NetworkAuth#src/oauth
ExternalRef: PACKAGE-MANAGER purl pkg:generic/TheQtCompany/qtnetworkauth-NetworkAuth?vcs_url=https://code.qt.io/qt/qtnetworkauth.git&library_name=NetworkAuth#src/oauth
FilesAnalyzed: true
PackageCopyrightText: <text>Copyright (C) 2024 The Qt Company Ltd.</text>
PrimaryPackagePurpose: LIBRARY
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qt:6.8.0:*:*:*:*:*:*:*
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Core
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-PlatformModuleInternal
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Gui
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Network
Relationship: SPDXRef-Package-qtnetworkauth CONTAINS SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth

© 2024 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.