Software Bill of Materials

A Software Bill of Materials (SBOM) document is a declaration of installed files, copyrights, licenses, versions, source repositories, and other relevant information about a Qt installation. The SBOM documents facilitate supply chain management by sharing component information to Qt users and other interested parties. Qt's SBOM documents are especially useful for license compliance and security vulnerability management.

Starting from Qt 6.8, Qt's build system can generate SBOM documents tailored for different platforms and build configurations. The Qt Online Installer places the SBOM documents in an sbom directory located in the installation directory of the respective Qt version. For example, for the Qt 6.8.2 Android arm64-v8a installation, the SBOM documents are at:

<INSTALL_DIR>/6.8.2/android_arm64_v8a/sbom/

To generate SBOM documents from the Qt sources yourself, set -sbom as a configure option.

For example, during the configure step:

./configure  -sbom

Generation of SBOM documents then becomes a part of the regular Qt installation:

ninja install
cmake --install .

In Qt 6.8, this build process creates SBOM documents in JSON and tag:value format as specified by the SPDX format.

See Building Qt Sources and Qt Configure Options for more information about the Qt build procedure.

For Qt developers and maintainers, the SBOM Wiki has specific information for creating SBOM documents.

SPDX Format

The SBOM documents are in SPDX 2.3 format. A document begins with information about the Qt module. SPDX packages follow as separate entries.

For a Qt installation, an SPDX package may be a:

• Qt module
• Qt plugin - for example, platform plugins
• Qt tool - for example, moc
• Qt application - for example, Qt Designer
• Third-party component - see Third-Party Code Used in Qt
• System library dependency - Qt Configure Options

An SPDX package typically contains at least:

• Package name, version, supplier name, and build information
• Qt License Attribution - a Qt product may be under different commercial or open source licenses. For example, a package may list several concluded licenses:

  LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only

  The Qt Licensing has more information about licensing options.

• Copyright notices - SBOM documents include Qt source copyrights and copyrights from third-party sources or authors.
• CPE (Common Platform Enumeration) - a naming scheme for package identification. For Qt, the SBOM CPE format is typically:

  cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other>

  An example identifier for a Qt Network Authorization package is:

  cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*

  For more information, see CPE Specification page.

• PURL (Package URL) - an alternative to CPE, PURL is an identifier scheme that uses the following format:

  scheme:type/namespace/name@version?qualifiers#subpath

  An example PURL for a package is:

  pkg:generic/TheQtCompany/qtnetworkauth@6.8.0

  For more information, Package URL page.

• Package relationships between packages such as dependencies.

  For example, the DEPENDS_ON for listing a dependency relationship. Refer to Clause 11 of the SPDX 2.3 for a list of valid relationship types.

Third-party SPDX Packages

An SPDX package for a third-party component typically contains at least:

• Name, version, and description
• Homepage and download location
• Usage in Qt
• License and copyright information
• Whether the component is security critical - the code may process untrusted code

SBOM Example

The following is an example of an SBOM document for the Qt Network Authorization module. The SBOM filename is qtnetworkauth-6.8.0.spdx and is in the installation's sbom directory. Note that the SBOM document contains several other packages not listed in the following example.

SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: qtnetworkauth-6.8.0
DocumentNamespace: https://qt.io/spdxdocs/qtnetworkauth-6.8.0
Creator: Organization: TheQtCompany
Creator: Tool: Qt Build System
CreatorComment: <text>This SPDX document was created from CMake 3.27.7, using the qt
build system from https://code.qt.io/cgit/qt/qtbase.git/tree/cmake/QtPublicSbomHelpers.cmake</text>
Created: 2024-09-19T11:07:23Z
ExternalDocumentRef: DocumentRef-qtbase https://qt.io/spdxdocs/qtbase-6.8.0 SHA1: 3dbc51259a07d458524a976da2e9607a76fab7e7

PackageName: NetworkAuth
SPDXID: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth
PackageDownloadLocation: git://code.qt.io/qt/qtnetworkauth.git
PackageVersion: 6.8.0
PackageSupplier: Organization: TheQtCompany
PackageLicenseConcluded: LicenseRef-Qt-Commercial OR GPL-3.0-only
PackageLicenseDeclared: LicenseRef-Qt-Commercial OR GPL-3.0-only
ExternalRef: PACKAGE-MANAGER purl pkg:github/qt/qtnetworkauth?library_name=NetworkAuth#src/oauth
ExternalRef: PACKAGE-MANAGER purl pkg:generic/TheQtCompany/qtnetworkauth-NetworkAuth?vcs_url=https://code.qt.io/qt/qtnetworkauth.git&library_name=NetworkAuth#src/oauth
FilesAnalyzed: true
PackageCopyrightText: <text>Copyright (C) 2024 The Qt Company Ltd.</text>
PrimaryPackagePurpose: LIBRARY
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qtnetworkauth:6.8.0:*:*:*:*:*:*:*
ExternalRef: SECURITY cpe23Type cpe:2.3:a:qt:qt:6.8.0:*:*:*:*:*:*:*
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Core
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-PlatformModuleInternal
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Gui
Relationship: SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth DEPENDS_ON DocumentRef-qtbase:SPDXRef-Package-qtbase-qt-module-Network
Relationship: SPDXRef-Package-qtnetworkauth CONTAINS SPDXRef-Package-qtnetworkauth-qt-module-NetworkAuth

Related Topics

• SPDX 2.3
• Qt Wiki - SBOM - generating SBOM documents from Qt sources
• Third-Party Code Used in Qt