diff options
| author | Alexandru Croitor <alexandru.croitor@qt.io> | 2024-08-22 19:49:07 +0200 |
|---|---|---|
| committer | Volker Hilsheimer <volker.hilsheimer@qt.io> | 2024-09-18 16:36:40 +0000 |
| commit | 2d9bee09c436f67781594a42c2aee9c9582cc24d (patch) | |
| tree | 54a476adb62d65cc40bf2c7242dc5d138ed050cc | |
| parent | 8e8e83956ebbd5db6f7b620fc20757b7ea16da8d (diff) | |
QUIP-7: Add CPE and PURL attributes
These attributes will be embedded into Qt's build SBOM (a SPDX v2.3
SBOM), so that 3rd party SBOM processing tools can use them to
identify 3rd party components that ship as part of Qt, as well as to
track any CVEs issued against these components or specific versions of
them.
Change-Id: If31bc9210c01802a0448d8e8a9655cdb18bc2061
Reviewed-by: Lucie Gerard <lucie.gerard@qt.io>
| -rw-r--r-- | quip-0007.rst | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/quip-0007.rst b/quip-0007.rst index f5774c1..ee81039 100644 --- a/quip-0007.rst +++ b/quip-0007.rst @@ -105,6 +105,39 @@ Copyright Copyright YYYY <main author> and contributors is also acceptable. +CPE + A CPE (Common Platform Enumeration) string for the component, formatted + according to the CPE 2.3 specification [7]_. + The format is as follows:: + + cpe:<cpe_version>:<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>:<sw_edition>:<target_sw>:<target_hw>:<other> + + Sample values can be found in the official CPE dictionary [8]_. + An example for zlib would be:: + + cpe:2.3:a:zlib:zlib:1.3:1:*:*:*:*:*:* + + The value should ideally include the version of the component in + addition to the vendor and product names. + The value can be a single string or an array of strings. Optional. +PURL + A Package URL (PURL) for the component, formatted according to the + PURL specification [9]_. + The format is as follows:: + + scheme:type/namespace/name@version?qualifiers#subpath + + There is no single database for PURLs, but a non-exhaustive database + can be found at [10]_. + Otherwise if the component is hosted on GitHub, the PURL is easily + constructed based on the GitHub URL. + An example for zlib would be:: + + pkg:github/madler/zlib@v1.3.1 + + The value should ideally include the version of the component, in + addition to the namespace and name. + Can be either a single string or an array of strings. Optional. Specification of License Files ------------------------------ @@ -176,3 +209,8 @@ References .. [4] https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ .. [5] https://src.chromium.org/viewvc/chrome/trunk/src/third_party/README.chromium.template .. [6] https://github.com/fsfe/reuse-tool +.. [7] https://cpe.mitre.org/specification/ +.. [8] https://nvd.nist.gov/products/cpe +.. [9] https://github.com/package-url/purl-spec +.. [10] https://github.com/scanoss/purl2cpe + |