.webp)
TL;DR: The binary packages of Qt 6.8 or later in the Qt Online installer contain build SBOM documents.
An SBOM is:
A machine-processable document containing the details and supply chain relationships of various components used in building software, similar to food ingredient labels on packaging.
Why SBOM?
Building and shipping software requires a lot of care. Some aspects of building software are often neglected yet are considered important by many. I'm talking about security, build reproducibility, supply chain tracking, license compliance, and copyright attribution.
The European Union partly shares that opinion, which is why, among other things, it is adopting the Cyber-Resilience Act (CRA) regulation, which aims to improve the security of hardware and software.
The CRA mentions automatic security updates, as well as vulnerability and incident reports. Now, software products are usually not created from scratch and rely on 3rd party components that are authored externally. To ensure security updates and to find whether one's software is vulnerable, one would first have to identify these components and their versions, find out which parts of the components are used, which of them are vulnerable, which of them have to be updated, etc
For a big software project, that can get burdensome quite fast. This is where SBOMs come in.
Build SBOM
There are many SBOM types and formats, but one of the most useful ones is a Build SBOM, which is generated as part of the build process based on source files, dependency information, already created components, volatile build process data, and other SBOMs.
And that's exactly what we are now shipping with Qt 6.8.0 and later.
Specifically, we ship one document for each Qt framework git repository built, using the SPDX v2.3 format, in both tag:value and JSON formats. When installing Qt via the online installer, you will automatically get the SBOM documents in your ~/Qt/<platform>/sbom directory for the relevant packages that you have installed.
These documents contain:
- An entry describing each Qt module or plugin built as part of the build process
- An entry for each 3rd party or system library used
- Dependency relationships between these entries, e.g. the fact that Qt Core links against a system ZLIB library
- License information, copyright attribution, and version information for each of these components, where available
- Source file information that was used to generate each specific library
- A SHA1 checksum for each installed binary file, as well as an overall checksum for the whole document
- Security-relevant information, like package-specific CPEs and PURLs, to aid tooling in finding vulnerabilities
- Other information like the compiler version used, the build tool version used, the build date and SBOM creation date, a unique URI identifying the SBOM document, etc
Because these SBOM documents are machine-readable and have a well-defined structure, they can be fed to various tooling for useful purposes like:
- Finding vulnerabilities based on component versions in databases like the National Vulnerability Database (where CVEs are usually filed), Github Advisories, etc
- License compliance (e.g. deny all usage of GPL libraries)
- File integrity checking (based on the SBOM embedded checksums)
- Copyright attribution collection (to generate an 'About dialog' with all the copyrights)
Getting SBOMs for your own Qt
These SBOMs are not limited to Qt's official packages.
If you're building Qt from scratch, just ensure you have the required dependencies installed (link pending), and just pass -sbom as an additional argument to the configure script. This will automatically generate and install the SBOM documents along with your Qt framework.
Because this feature was added fairly recently, there are still some gaps in the gathered information (e.g, there's no SBOM information for Qt translations yet), but we aim to improve this in the future. You can check the known gaps by looking at the related issues of QTBUG-122899.
We are also looking into adding a public CMake API to generate SBOMs for your Qt projects, which would make CRA compliance easier for you.
As time passes, the CRA's expectations for software authors will become clearer, and we will incorporate the necessary changes into our generated SBOMs.
Until then, happy SBOMing.
