diff options
| author | Alexandru Croitor <alexandru.croitor@qt.io> | 2025-02-13 14:46:12 +0100 |
|---|---|---|
| committer | Alexandru Croitor <alexandru.croitor@qt.io> | 2025-03-17 10:18:02 +0100 |
| commit | fd6cbf54eb837fb2e6c737e6f25d0872100369b2 (patch) | |
| tree | 3d7df649456ca5d68069ff22669a1e5eda47d712 /cmake/QtWebEngineSbomHelpers.cmake | |
| parent | 0546e3d722350c31d04f9a74446d02f79c928fbe (diff) | |
CMake: Handle missing python dependency for Chromium SBOM conversion
By default qtbase always generates tag/value SBOM documents, and only
generates JSON SBOM documents if the required spdx-tools python
dependency is found. If it is not found, it silently skips the json
file generation.
On the other hand, QtWebEngine generates the Chromium specific SBOM
into the json format. We then need to convert that into a tag/value
format using the spdx-tools package, to be able to link the
QtWebEngine SBOM to the Chromium one.
This means that if the spdx-tools package is missing, qtbase only has
tag/value SBOMs, Chromium only has a json SBOM, and we can't link
them. The Chromium one is therefore useless, and there was no reason
to generate it.
Change the build system code in qtwebengine to do the following:
- if the python dependency is missing, skip the Chromium SBOM
generation and show a configure check warning that the Chromium SBOM
is skipped
- if the python dependency is missing and
QT_SBOM_REQUIRE_GENERATE_JSON is ON (or -sbom-json-required is
passed), skip building both QtWebEngine and QtPdf, because we can't
satisfy the requirements. The variable is only ON if the user
explicitly opted into the option. This follows the logic in qtbase.
Usually we would have errored out in such a case, but we can't due
to the usual can't error during configure in qtwebengine reasons.
Remove the previous workaround of skipping the Chromium SBOM
generation without showing any diagnostic messages.
This reverts commit 3250fc3cca8b88d6c8ab2f9edc7dd46bfb2d3681
Pick-to: 6.9
Change-Id: I68b7e281a80e8edc11197350b4400408ff0ec8c8
Reviewed-by: Alexey Edelev <alexey.edelev@qt.io>
Diffstat (limited to 'cmake/QtWebEngineSbomHelpers.cmake')
| -rw-r--r-- | cmake/QtWebEngineSbomHelpers.cmake | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/cmake/QtWebEngineSbomHelpers.cmake b/cmake/QtWebEngineSbomHelpers.cmake index 2c0591882..c16b5af39 100644 --- a/cmake/QtWebEngineSbomHelpers.cmake +++ b/cmake/QtWebEngineSbomHelpers.cmake @@ -45,10 +45,21 @@ endfunction() # Join all the targets into (at most) two documents for Pdf / WebEngine function(qt_webengine_sbom_project_end) - if(NOT QT_GENERATE_SBOM - # Temporarily skip generating sbom if tag-value generation dependencies are not found. - OR (NOT QT_INTERNAL_SBOM_PYTHON_EXECUTABLE) - OR (NOT QT_INTERNAL_SBOM_DEPS_FOUND_FOR_GENERATE_JSON)) + if(NOT QT_GENERATE_SBOM) + return() + endif() + + # We have the situation that qtbase by default does not generate JSON files if the required + # python dependency spdx-tools is not found. + # But QtWebEngine requires the spdx-tools package to be available, otherwise we can't generate + # a tag/value document from the Chromium-generated json file, and then link the Chromium + # SBOM document to the qtwebengine one. + # Skip the Chromium SBOM generation if the dependency is not found. + # A warning or skip message should have already been shown at general configure check time. + qt_internal_sbom_verify_deps_for_generate_tag_value_spdx_document( + OUT_VAR_DEPS_FOUND sbom_deps_found + ) + if(NOT sbom_deps_found) return() endif() |