CMake: Handle missing python dependency for Chromium SBOM conversion

By default qtbase always generates tag/value SBOM documents, and only generates JSON SBOM documents if the required spdx-tools python dependency is found. If it is not found, it silently skips the json file generation. On the other hand, QtWebEngine generates the Chromium specific SBOM into the json format. We then need to convert that into a tag/value format using the spdx-tools package, to be able to link the QtWebEngine SBOM to the Chromium one. This means that if the spdx-tools package is missing, qtbase only has tag/value SBOMs, Chromium only has a json SBOM, and we can't link them. The Chromium one is therefore useless, and there was no reason to generate it. Change the build system code in qtwebengine to do the following: - if the python dependency is missing, skip the Chromium SBOM generation and show a configure check warning that the Chromium SBOM is skipped - if the python dependency is missing and QT_SBOM_REQUIRE_GENERATE_JSON is ON (or -sbom-json-required is passed), skip building both QtWebEngine and QtPdf, because we can't satisfy the requirements. The variable is only ON if the user explicitly opted into the option. This follows the logic in qtbase. Usually we would have errored out in such a case, but we can't due to the usual can't error during configure in qtwebengine reasons. Remove the previous workaround of skipping the Chromium SBOM generation without showing any diagnostic messages. This reverts commit 3250fc3cca8b88d6c8ab2f9edc7dd46bfb2d3681 Pick-to: 6.9 Change-Id: I68b7e281a80e8edc11197350b4400408ff0ec8c8 Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
author: Alexandru Croitor <alexandru.croitor@qt.io> 2025-02-13 14:46:12 +0100
committer: Alexandru Croitor <alexandru.croitor@qt.io> 2025-03-17 10:18:02 +0100
commit: fd6cbf54eb837fb2e6c737e6f25d0872100369b2 (patch)
tree: 3d7df649456ca5d68069ff22669a1e5eda47d712
parent: 0546e3d722350c31d04f9a74446d02f79c928fbe (diff)
2 files changed, 36 insertions, 5 deletions
diff --git a/cmake/QtWebEngineSbomHelpers.cmake b/cmake/QtWebEngineSbomHelpers.cmake
index 2c0591882..c16b5af39 100644
--- a/cmake/QtWebEngineSbomHelpers.cmake
+++ b/cmake/QtWebEngineSbomHelpers.cmake
@@ -45,10 +45,21 @@ endfunction()
 
 # Join all the targets into (at most) two documents for Pdf / WebEngine
 function(qt_webengine_sbom_project_end)
-    if(NOT QT_GENERATE_SBOM
-            # Temporarily skip generating sbom if tag-value generation dependencies are not found.
-            OR (NOT QT_INTERNAL_SBOM_PYTHON_EXECUTABLE)
-            OR (NOT QT_INTERNAL_SBOM_DEPS_FOUND_FOR_GENERATE_JSON))
+    if(NOT QT_GENERATE_SBOM)
+        return()
+    endif()
+
+    # We have the situation that qtbase by default does not generate JSON files if the required
+    # python dependency spdx-tools is not found.
+    # But QtWebEngine requires the spdx-tools package to be available, otherwise we can't generate
+    # a tag/value document from the Chromium-generated json file, and then link the Chromium
+    # SBOM document to the qtwebengine one.
+    # Skip the Chromium SBOM generation if the dependency is not found.
+    # A warning or skip message should have already been shown at general configure check time.
+    qt_internal_sbom_verify_deps_for_generate_tag_value_spdx_document(
+        OUT_VAR_DEPS_FOUND sbom_deps_found
+    )
+    if(NOT sbom_deps_found)
         return()
     endif()
 
diff --git a/configure.cmake b/configure.cmake
index 71b2a111b..cd4c39351 100644
--- a/configure.cmake
+++ b/configure.cmake
@@ -47,6 +47,10 @@ else()
     find_package(PkgConfig)
     find_package(Snappy)
     find_package(Nodejs ${QT_CONFIGURE_CHECK_nodejs_version})
+    _qt_internal_sbom_verify_deps_for_generate_tag_value_spdx_document(
+        OUT_VAR_DEPS_FOUND sbom_deps_found
+        OUT_VAR_REASON_FAILURE_MESSAGE sbom_missing_deps_message
+    )
 endif()
 
 if(PkgConfig_FOUND)
@@ -333,6 +337,14 @@ qt_webengine_configure_check("python3"
     MESSAGE "Python ${QT_CONFIGURE_CHECK_python3_version} or later is required. Please use -DPython3_EXECUTABLE for custom path to interpreter."
     DOCUMENTATION "Python ${QT_CONFIGURE_CHECK_python3_version} version or later."
 )
+if(QT_GENERATE_SBOM AND QT_SBOM_GENERATE_JSON AND QT_SBOM_REQUIRE_GENERATE_JSON)
+    qt_webengine_configure_check("sbom-generate-json"
+        MODULES QtWebEngine QtPdf
+        CONDITION sbom_deps_found
+        MESSAGE
+            "SBOM JSON file generation requirements missing, but JSON files were explicitly required. ${sbom_missing_deps_message}"
+    )
+endif()
 qt_webengine_configure_check("python3-html5lib"
     MODULES QtWebEngine
     CONDITION Python3_EXECUTABLE AND NOT html5lib_NOT_FOUND
@@ -831,4 +843,12 @@ if(NOT QT_SUPERBUILD)
         CONDITION QT_SHOW_EXTRA_IDE_SOURCES OR (NOT DEFINED QT_SHOW_EXTRA_IDE_SOURCES AND CMAKE_VERSION VERSION_GREATER_EQUAL 3.20)
     )
 endif()
-
+# Only show the warning if JSON generation is not required. For the case when it is required,
+# there's an extra configure check.
+if(QT_GENERATE_SBOM AND NOT QT_SBOM_REQUIRE_GENERATE_JSON)
+    qt_configure_add_report_entry(
+        TYPE WARNING
+        MESSAGE "Qt WebEngine And Qt Pdf SBOM generation will be skipped due to missing dependencies. ${sbom_missing_deps_message}"
+        CONDITION NOT sbom_deps_found
+    )
+endif()
author	Alexandru Croitor <alexandru.croitor@qt.io>	2025-02-13 14:46:12 +0100
committer	Alexandru Croitor <alexandru.croitor@qt.io>	2025-03-17 10:18:02 +0100
commit	fd6cbf54eb837fb2e6c737e6f25d0872100369b2 (patch)
tree	3d7df649456ca5d68069ff22669a1e5eda47d712
parent	0546e3d722350c31d04f9a74446d02f79c928fbe (diff)