CMake: Read UpstreamPURL from attribution files when generating SBOMs

Pick-to: 6.8 Task-number: QTBUG-122899 Change-Id: Id65770cdee17c6bf4701b10565ab428f3e28887f Reviewed-by: Joerg Bornemann <[email protected]>
quadtrees · Aug 17, 2024 · 95b7fe4 · 95b7fe4
1 parent f7e1123
commit 95b7fe4
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/cmake/QtPublicSbomHelpers.cmake b/cmake/QtPublicSbomHelpers.cmake
@@ -705,6 +705,9 @@ function(_qt_internal_sbom_add_target target)
     if(is_qt_entity_type)
         list(APPEND purl_args IS_QT_ENTITY_TYPE)
     endif()
+    if(qa_upstream_purl)
+        list(APPEND purl_args PURL_3RDPARTY_UPSTREAM_VALUE "${qa_upstream_purl}")
+    endif()
     list(APPEND purl_args OUT_VAR purl_package_options)
 
     _qt_internal_sbom_handle_purl_values(${target} ${purl_args})
@@ -2242,6 +2245,7 @@ function(_qt_internal_sbom_read_qt_attribution out_prefix)
         _qt_internal_sbom_get_attribution_key(DownloadLocation download_location "${out_prefix}")
         _qt_internal_sbom_get_attribution_key(Copyright copyrights "${out_prefix}")
         _qt_internal_sbom_get_attribution_key(CopyrightFile copyright_file "${out_prefix}")
+        _qt_internal_sbom_get_attribution_key(UpstreamPURL upstream_purl "${out_prefix}")
 
         # In some attribution files (like harfbuzz) Copyright contains an array of copyrights rather
         # than a single string. Extract all of them.