CMake: Add PURL and CPE info to 3rd party attribution files

The change adds CPE and PURL keys to all qt_attribution.json files in
the repo.

In case if no sensible CPE or PURL exists, a "Comment" field is added
with the text "no relevant CPE or PURL found". If only one of them
does not exist, it is written as such in the Comment field.

This allows filtering for files that haven't had the information added
yet vs those that were looked up but no relevant information was
found.

For sources that are not hosted on github, a generic PURL is used with
a download_url fragment pointing either to the exact location where
the sources can be downloaded, or to the homepage of the project.
The generic package name was chosen based on the 'Id' key of the
attribution entry where it was present, and is not authoritative.

For PURL github packages, the 'git tag' name was specified into the
'version' part of the PURL, rather than the 'version number', because
SBOM processing tooling handle that better than the version number.
For example for the freetype package, we specify the string
'VER-2-13-3' rather than the tag name '2.13.3'.
We might revisit this in the future.

[ChangeLog][Third-Party Code] Added PURL and CPE information to the
attribution files of 3rd party sources.

Task-number: QTBUG-122899
Task-number: QTBUG-129602
Change-Id: Iad126242cafc3ea0b678c5c36b26f857039b1dbd
Reviewed-by: Alexey Edelev <[email protected]>
(cherry picked from commit 36dca3c)

src/3rdparty/D3D12MemoryAllocator/qt_attribution.json

@@ -8,9 +8,11 @@
 
         "Homepage": "https://github.com/GPUOpen-LibrariesAndSDKs/D3D12MemoryAllocator",
         "Version": "f128d39b7a95b4235bd228d231646278dc6c24b2",
+        "PURL": "pkg:github/GPUOpen-LibrariesAndSDKs/D3D12MemoryAllocator@f128d39b7a95b4235bd228d231646278dc6c24b2",
         "License": "MIT License",
         "LicenseId": "MIT",
         "LicenseFile": "LICENSE.txt",
-        "Copyright": "Copyright (c) 2019-2022 Advanced Micro Devices, Inc. All rights reserved."
+        "Copyright": "Copyright (c) 2019-2022 Advanced Micro Devices, Inc. All rights reserved.",
+        "Comment": "no relevant CPE found"
     }
 ]

src/3rdparty/VulkanMemoryAllocator/qt_attribution.json

@@ -8,9 +8,11 @@
 
         "Homepage": "https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator",
         "Version": "3.0.1",
+        "PURL": "pkg:github/GPUOpen-LibrariesAndSDKs/[email protected]",
         "License": "MIT License",
         "LicenseId": "MIT",
         "LicenseFile": "LICENSE.txt",
-        "Copyright": "Copyright (c) 2017-2022 Advanced Micro Devices, Inc. All rights reserved."
+        "Copyright": "Copyright (c) 2017-2024 Advanced Micro Devices, Inc. All rights reserved.",
+        "Comment": "no relevant CPE found"
     }
 ]

src/3rdparty/android/qt_attribution.json

@@ -7,5 +7,6 @@
     "License": "Apache License 2.0",
     "LicenseId": "Apache-2.0",
     "LicenseFile": "LICENSE",
-    "Copyright": "Copyright (C) 2005 The Android Open Source Project"
+    "Copyright": "Copyright (C) 2005 The Android Open Source Project",
+    "Comment": "no relevant PURL or CPE found"
 }

src/3rdparty/blake2/qt_attribution.json

@@ -9,6 +9,8 @@
     "Homepage": "https://blake2.net/",
     "Version": "54f4faa4c16ea34bcd59d16e8da46a64b259fc07",
     "DownloadLocation": "https://github.com/BLAKE2/BLAKE2/tree/54f4faa4c16ea34bcd59d16e8da46a64b259fc07",
+    "PURL": "pkg:github/BLAKE2/BLAKE2@54f4faa4c16ea34bcd59d16e8da46a64b259fc07",
+    "CPE": "cpe:2.3:a:blake2:blake2:*:*:*:*:*:*:*:*",
     "License": "Creative Commons Zero v1.0 Universal or Apache License 2.0",
     "LicenseId": "CC0-1.0 OR Apache-2.0",
     "LicenseFile": "COPYING",

src/3rdparty/double-conversion/qt_attribution.json

@@ -7,6 +7,8 @@
     "Homepage": "https://github.com/google/double-conversion",
     "Version": "3.3.0",
     "DownloadLocation": "https://github.com/google/double-conversion/releases/tag/v3.3.0",
+    "PURL": "pkg:github/google/[email protected]",
+    "CPE": "cpe:2.3:a:google:double-conversion:3.3.0:*:*:*:*:*:*:*",
     "License": "BSD 3-clause \"New\" or \"Revised\" License",
     "LicenseId": "BSD-3-Clause",
     "LicenseFile": "LICENSE",

src/3rdparty/easing/qt_attribution.json

@@ -5,7 +5,7 @@
     "QtUsage": "Used in Qt Core (QEasingCurve).",
     "Files": "easing.cpp",
 
-    "Comment": "treat as final",
+    "Comment": "treat as final, no relevant PURL or CPE found",
     "Homepage": "http://robertpenner.com/easing/",
     "License": "BSD 3-clause \"New\" or \"Revised\" License",
     "LicenseId": "BSD-3-Clause",

src/3rdparty/forkfd/qt_attribution.json

@@ -3,7 +3,7 @@
     "Name": "forkfd",
     "QDocModule": "qtcore",
     "QtUsage": "Used on most Unix platforms in Qt Core.",
-    "Comment": "No upstream; treat as final",
+    "Comment": "No upstream; treat as final, no relevant PURL or CPE found",
     "Files": [ "forkfd.c", "forkfd.h", "forkfd_gcc.h" ],
 
     "License": "MIT License",

src/3rdparty/freetype/qt_attribution.json

@@ -10,6 +10,12 @@
         "Homepage": "http://www.freetype.org",
         "Version": "2.13.3",
         "DownloadLocation": "https://download.savannah.gnu.org/releases/freetype/freetype-2.13.3.tar.gz",
+        "PURL": [
+            "pkg:github/freetype/freetype@VER-2-13-3"
+        ],
+        "CPE": [
+            "cpe:2.3:a:freetype:freetype:2.13:3:*:*:*:*:*:*"
+        ],
 
         "License": "Freetype Project License or GNU General Public License v2.0 only",
         "LicenseId": "FTL OR GPL-2.0-only",

src/3rdparty/gradle/qt_attribution.json

@@ -6,6 +6,8 @@
     "Homepage": "https://gradle.org",
     "Version": "8.10",
     "DownloadLocation": "https://github.com/gradle/gradle/releases/tag/v8.10.0",
+    "PURL": "pkg:github/gradle/[email protected]",
+    "CPE": "cpe:2.3:a:gradle:gradle:8.10.0:*:*:*:*:*:*:*",
     "QtUsage": "Needed to create Android packages",
     "License": "Apache License 2.0",
     "LicenseId": "Apache-2.0",

src/3rdparty/harfbuzz-ng/qt_attribution.json

@@ -9,7 +9,8 @@
     "Homepage": "http://harfbuzz.org",
     "Version": "10.1.0",
     "DownloadLocation": "https://github.com/harfbuzz/harfbuzz/releases/tag/10.1.0",
-
+    "PURL": "pkg:github/harfbuzz/[email protected]",
+    "CPE": "cpe:2.3:a:harfbuzz_project:harfbuzz:10.1.0:*:*:*:*:*:*:*",
     "License": "MIT License",
     "LicenseId": "MIT",
     "LicenseFile": "COPYING",

src/3rdparty/icc/qt_attribution.json

@@ -6,9 +6,10 @@
         "QtUsage": "Used in Qt Gui (Embedded into PDF/A-1b files generated by QPrinter/QPdfWriter).",
         "Files": "sRGB2014.icc",
 
-        "Comment": "No upstream: treat as final",
+        "Comment": "No upstream: treat as final, no relevant CPE found",
         "Description": "An ICC color profile for PDF/A-1b compatible PDF files.",
         "Homepage": "http://www.color.org/",
+        "PURL": "pkg:generic/icc-sRGB-color-profile?download_url=http://www.color.org/",
         "LicenseId": "LicenseRef-ICC-License",
         "License": "International Color Consortium License",
         "LicenseFile": "LICENSE.txt",

src/3rdparty/libjpeg/qt_attribution.json

@@ -9,6 +9,8 @@
     "Homepage": "http://libjpeg-turbo.virtualgl.org/",
     "Version": "3.0.4",
     "DownloadLocation": "https://github.com/libjpeg-turbo/libjpeg-turbo/releases/download/3.0.4/libjpeg-turbo-3.0.4.tar.gz",
+    "PURL": "pkg:github/libjpeg-turbo/[email protected]",
+    "CPE": "cpe:2.3:a:libjpeg-turbo:libjpeg-turbo:3.0.4:*:*:*:*:*:*:*",
 
     "License": "Independent JPEG Group License and BSD 3-Clause \"New\" or \"Revised\" License",
     "LicenseId": "IJG AND BSD-3-Clause",

src/3rdparty/libpng/qt_attribution.json

@@ -9,6 +9,8 @@
     "Homepage": "http://www.libpng.org/pub/png/libpng.html",
     "Version": "1.6.44",
     "DownloadLocation": "https://download.sourceforge.net/libpng/libpng-1.6.44.tar.xz",
+    "PURL": "pkg:github/pnggroup/[email protected]",
+    "CPE": "cpe:2.3:a:libpng:libpng:1.6.44:*:*:*:*:*:*:*",
 
     "License": "libpng License and PNG Reference Library version 2",
     "LicenseId": "Libpng AND libpng-2.0",

src/3rdparty/libpsl/qt_attribution.json

@@ -19,9 +19,10 @@ supported by Qt (by the QNetworkCookieJar class).",
 
     "Comment": "Consult https://github.com/publicsuffix/list for the sha1 but download from ...",
     "Homepage": "http://publicsuffix.org/",
-    "Comment": "Suggested update schedule: twice per year (before a 6.x.0 release)",
+    "Comment": "Suggested update schedule: twice per year (before a 6.x.0 release), no relevant CPE found",
     "Version": "903a83ff7bfc3148e3692e09396f9f3bdc9462ef, fetched on 2024-06-05",
     "DownloadLocation": "https://publicsuffix.org/list/public_suffix_list.dat",
+    "PURL": "pkg:generic/psl-data@903a83ff7bfc3148e3692e09396f9f3bdc9462ef?download_url=https://publicsuffix.org/list/public_suffix_list.dat",
 
     "License": "Mozilla Public License 2.0",
     "LicenseFile": "PSL-LICENSE.txt",
@@ -38,9 +39,11 @@ supported by Qt (by the QNetworkCookieJar class).",
 to lookup entries in it.",
     "Homepage": "https://github.com/rockdaboot/libpsl",
     "Version": "664f3dc85259ec65e30248a61fa1c45b7b0e4c3f",
+    "PURL": "pkg:github/rockdaboot/libpsl@664f3dc85259ec65e30248a61fa1c45b7b0e4c3f",
     "License": "BSD 3-clause \"New\" or \"Revised\" License",
     "LicenseFile": "src/LICENSE.chromium",
     "LicenseId": "BSD-3-Clause",
-    "Copyright": "Copyright 2014-2016 The Chromium Authors. All rights reserved."
+    "Copyright": "Copyright 2014-2016 The Chromium Authors. All rights reserved.",
+    "Comment": "no relevant CPE found"
 }
 ]

src/3rdparty/md4/qt_attribution.json

@@ -4,7 +4,7 @@
     "QDocModule": "qtcore",
     "QtUsage": "Used in Qt Core (QCryptographicHash).",
 
-    "Comment": "Treat as final version; no upstream known",
+    "Comment": "Treat as final version; no upstream known, no relevant CPE or PURL found",
     "Description": "An OpenSSL-compatible implementation of the RSA Data Security, Inc. MD4 Message-Digest Algorithm.",
     "License": "Public Domain",
     "LicenseId": "CC0-1.0",

src/3rdparty/md4c/qt_attribution.json

@@ -12,5 +12,7 @@
     "LicenseFile": "LICENSE.md",
     "Version": "0.5.2",
     "DownloadLocation": "https://github.com/mity/md4c/releases/tag/release-0.5.2",
+    "PURL": "pkg:github/mity/[email protected]",
+    "CPE": "cpe:2.3:a:md4c_project:md4c:0.5.2:*:*:*:*:*:*:*",
     "Copyright": "Copyright © 2016-2024 Martin Mitáš"
 }

src/3rdparty/md5/qt_attribution.json

@@ -4,7 +4,7 @@
     "QDocModule": "qtcore",
     "QtUsage": "Used in Qt Core (QCryptographicHash).",
 
-    "Comment": "Treat as final version; no upstream known",
+    "Comment": "Treat as final version; no upstream known, no relevant CPE or PURL found",
     "Description": "MD5 message-digest algorithm.",
     "License": "Public Domain",
     "LicenseId": "CC0-1.0",

src/3rdparty/pcre2/CMakeLists.txt

@@ -45,8 +45,6 @@ qt_internal_add_3rdparty_library(BundledPcre2
         PCRE2_CODE_UNIT_WIDTH=16
     PUBLIC_INCLUDE_DIRECTORIES
         $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/src>
-    CPE_VENDOR "pcre"
-    CPE_PRODUCT "pcre2"
 )
 qt_disable_warnings(BundledPcre2)
 qt_set_symbol_visibility_hidden(BundledPcre2)

src/3rdparty/pcre2/qt_attribution.json

@@ -10,6 +10,8 @@
     "Homepage": "http://www.pcre.org/",
     "Version": "10.44",
     "DownloadLocation": "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.44/pcre2-10.44.tar.bz2",
+    "PURL": "pkg:github/PCRE2Project/[email protected]",
+    "CPE": "cpe:2.3:a:pcre:pcre2:10.44:*:*:*:*:*:*:*",
     "License": "BSD 3-clause \"New\" or \"Revised\" License with PCRE2 binary-like Packages Exception",
     "LicenseId": "LicenseRef-BSD-3-Clause-with-PCRE2-Binary-Like-Packages-Exception",
     "LicenseFile": "LICENCE",
@@ -27,6 +29,8 @@
     "Homepage": "http://www.pcre.org/",
     "Version": "10.44",
     "DownloadLocation": "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.44/pcre2-10.44.tar.bz2",
+    "PURL": "pkg:github/PCRE2Project/[email protected]",
+    "CPE": "cpe:2.3:a:pcre:pcre2:10.44:*:*:*:*:*:*:*",
     "License": "BSD 2-clause \"Simplified\" License",
     "LicenseId": "BSD-2-Clause",
     "LicenseFile": "LICENCE-SLJIT",

src/3rdparty/pixman/qt_attribution.json

@@ -7,8 +7,10 @@
     "Description": "pixman is a library that provides low-level pixel manipulation features such as image compositing and trapezoid rasterization.",
     "Homepage": "http://www.pixman.org/",
     "Version": "0.17.12",
+    "PURL": "pkg:generic/[email protected]?download_url=http://www.pixman.org/",
     "License": "MIT License",
     "LicenseFile": "LICENSE",
     "LicenseId": "MIT",
-    "Copyright": "Copyright © 2009 Nokia Corporation"
+    "Copyright": "Copyright © 2009 Nokia Corporation",
+    "Comment": "no relevant CPE found"
 }

src/3rdparty/rfc6234/qt_attribution.json

@@ -4,7 +4,7 @@
     "QDocModule": "qtcore",
     "QtUsage": "Used in Qt Core (QCryptographicHash and QMessageAuthenticationCode)",
 
-    "Comment": "The RFC actually contains the code, embedded in RFC-boilerplate; presumably we extracted it; treat as final",
+    "Comment": "The RFC actually contains the code, embedded in RFC-boilerplate; presumably we extracted it; treat as final, no relevant CPE or PURL found",
     "Description": "Implements the Secure Hash Algorithms SHA 384 and SHA-521",
     "License": "BSD 3-clause \"New\" or \"Revised\" License",
     "LicenseFile": "LICENSE",

src/3rdparty/sha1/qt_attribution.json

@@ -5,9 +5,11 @@
     "QtUsage": "Used in Qt Core (QCryptographicHash).",
 
     "Description": "Implements the Secure Hash Algorithms SHA 1",
+    "PURL": "pkg:generic/csha1?download_url=https://www.dominik-reichl.de/projects/csha1/",
     "Homepage": "http://www.dominik-reichl.de/projects/csha1/",
     "License": "Public Domain",
     "LicenseId": "LicenseRef-SHA1-Public-Domain",
     "Copyright": ["Copyright (C) Dominik Reichl <[email protected]>",
-    "Copyright (C) 2016 The Qt Company Ltd"]
+    "Copyright (C) 2016 The Qt Company Ltd"],
+    "Comment": "no relevant CPE found"
 }

src/3rdparty/sha3/qt_attribution.json

@@ -8,11 +8,13 @@
         "Files": "brg_endian.h",
 
         "Description": "SHA-3, originally known as Keccak, is a cryptographic hash function.",
-        "Version": "https://github.com/BrianGladman/sha/ commit 4b9e13ead2c5b5e41ca27c65de4dd69ae0bac228",
+        "Version": "4b9e13ead2c5b5e41ca27c65de4dd69ae0bac228",
+        "PURL": "pkg:github/BrianGladman/sha@4b9e13ead2c5b5e41ca27c65de4dd69ae0bac228",
         "License": "BSD 2-clause \"Simplified\" License",
         "LicenseFile": "BRG_ENDIAN_LICENSE",
         "LicenseId": "BSD-2-Clause",
-        "Copyright": "Copyright (c) 1998-2013, Brian Gladman, Worcester, UK. All rights reserved."
+        "Copyright": "Copyright (c) 1998-2013, Brian Gladman, Worcester, UK. All rights reserved.",
+        "Comment": "no relevant CPE found"
     },
     {
         "Id": "sha3_keccak",
@@ -36,10 +38,12 @@
 
         "Description": "SHA-3, originally known as Keccak, is a cryptographic hash function.",
         "Version": "3.2",
+        "PURL": "pkg:generic/[email protected]?download_url=https://keccak.team/obsolete/KeccakReferenceAndOptimized-3.2.zip",
         "License": "Creative Commons Zero v1.0 Universal",
         "LicenseId": "CC0-1.0",
         "LicenseFile": "CC0_LICENSE",
         "Copyright": "Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.\nTo the extent possible under law, the implementers have waived all copyright
-and related or neighboring rights to the source code in this file."
+and related or neighboring rights to the source code in this file.",
+        "Comment": "no relevant CPE found"
     }
 ]

src/3rdparty/siphash/qt_attribution.json

@@ -8,12 +8,14 @@
     "Description": "Implements the SipHash algorithm.",
     "Homepage": "https://131002.net/siphash/",
     "DownloadLocation": "https://raw.githubusercontent.com/veorq/SipHash/adcbf09b1684a718f594faa650ffc56bacdb0777/siphash24.c",
+    "PURL": "pkg:github/veorq/SipHash@adcbf09b1684a718f594faa650ffc56bacdb0777",
 
     "License": "Creative Commons Zero v1.0 Universal",
     "LicenseId": "CC0-1.0",
     "Copyright": [
         "Copyright (C) 2012-2014 Jean-Philippe Aumasson",
         "Copyright (C) 2012-2014 Daniel J. Bernstein <[email protected]>",
         "Copyright (C) 2016 Intel Corporation"
-    ]
+    ],
+    "Comment": "no relevant CPE found"
 }

src/3rdparty/sqlite/qt_attribution.json

@@ -8,6 +8,8 @@
     "Description": "SQLite is a small C library that implements a self-contained, embeddable, zero-configuration SQL database engine.",
     "Homepage": "https://www.sqlite.org/",
     "Version": "3.47.0",
+    "PURL": "pkg:github/sqlite/[email protected]",
+    "CPE": "cpe:2.3:a:sqlite:sqlite:3.47.0:*:*:*:*:*:*:*",
     "DownloadLocation": "https://www.sqlite.org/2024/sqlite-amalgamation-3470000.zip",
     "License": "SQLite Blessing",
     "LicenseId": "blessing",

src/3rdparty/tinycbor/qt_attribution.json

@@ -11,6 +11,8 @@
     "LicenseId": "MIT",
     "LicenseFile": "LICENSE",
     "DownloadLocation": "https://github.com/intel/tinycbor/archive/v0.6.0/tinycbor-0.6.0.tar.gz",
+    "PURL": "pkg:github/intel/[email protected]",
+    "CPE": "cpe:2.3:a:tinycbor:tinycbor:0.6.0:*:*:*:*:*:*:*",
     "Version": "0.6.0",
     "Copyright": "Copyright (C) 2015-2021 Intel Corporation"
 }

src/3rdparty/wasm/qt_attribution.json

@@ -9,11 +9,13 @@
 
     "Homepage": "https://dejavu-fonts.github.io/",
     "Version": "2.37",
+    "PURL": "pkg:generic/[email protected]?download_url=https://dejavu-fonts.github.io/",
     "License": "Bitstream Vera Font License",
     "LicenseId": "Bitstream-Vera",
     "LicenseFile": "DEJAVU-LICENSE",
     "Copyright": ["Copyright (c) 2003 by Bitstream, Inc",
     "Copyright (c) 2006 by Tavmjong Bah",
-    "(c) American Mathematical Society"]
+    "(c) American Mathematical Society"],
+    "Comment": "no relevant CPE found"
 }
 ]

src/3rdparty/wintab/qt_attribution.json

@@ -6,7 +6,7 @@
     "Files": ["pktdef.h", "wintab.h"],
 
     "Description": "Wintab is a de facto API for pointing devices on Windows.",
-    "PackageComment": "Upstream http://www.pointing.com/Wintab.html no longer offers updates; treat as final",
+    "PackageComment": "Upstream http://www.pointing.com/Wintab.html no longer offers updates; treat as final, no relevant CPE and PURL found",
     "License": "LCS-Telegraphics License",
     "LicenseId": "LicenseRef-Lcs-Telegraphics",
     "Copyright": "Copyright 1991-1998 by LCS/Telegraphics."

src/3rdparty/xcb/qt_attribution.json

@@ -7,10 +7,12 @@
  the system, pass -no-bundled-xcb-xinput.",
     "Description": "XInput 2 extension for XCB (The X protocol C-language Binding) library.",
     "Homepage": "https://xcb.freedesktop.org/",
+    "PURL": "pkg:generic/xcb-xinput?download_url=http://xcb.freedesktop.org/",
     "License": "MIT License",
     "LicenseId": "MIT",
     "LicenseFile": "LICENSE",
     "Copyright": ["Copyright (C) 2001-2006 Bart Massey, Jamey Sharp, and Josh Triplett.",
     "Copyright (C) 2006 Peter Hutterer",
-    "Copyright (C) 2013 Daniel Martin"]
+    "Copyright (C) 2013 Daniel Martin"],
+    "Comment": "no relevant CPE found"
 }

src/3rdparty/zlib/qt_attribution.json

@@ -9,6 +9,8 @@
     "Homepage": "https://zlib.net/",
     "Version": "1.3.1",
     "DownloadLocation": "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz",
+    "PURL": "pkg:github/madler/[email protected]",
+    "CPE": "cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:*",
 
     "License": "zlib License",
     "LicenseId": "Zlib",

src/corelib/kernel/qt_attribution.json

@@ -5,7 +5,7 @@
     "QtUsage": "Used in Qt Core on macOS.",
     "Files": "qeventdispatcher_cf_p.h",
 
-    "Comment": "Treat as final version; no upstream known",
+    "Comment": "Treat as final version; no upstream known, no relevant CPE and PURL found",
     "Description": "Implementation of QAbstractEventDispatcher for macOS.",
     "License": "BSD 3-clause \"New\" or \"Revised\" License",
     "LicenseId": "BSD-3-Clause",

src/corelib/mimetypes/3rdparty/qt_attribution.json

@@ -19,6 +19,8 @@
         "Version": "5101bc7fb090ed7deffe56837d7633c9485a1e5d",
         "DownloadLocation":
                 "https://github.com/apache/tika/blob/5101bc7fb090ed7deffe56837d7633c9485a1e5d/tika-core/src/main/resources/org/apache/tika/mime/tika-mimetypes.xml",
+        "PURL": "pkg:github/apache/tika@5101bc7fb090ed7deffe56837d7633c9485a1e5d#tika-core/src/main/resources/org/apache/tika/mime/tika-mimetypes.xml",
+        "CPE": "cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*",
         "License": "Apache License 2.0",
         "LicenseId": "Apache-2.0",
         "Copyright": "Copyright 2024 The Apache Software Foundation"

src/corelib/text/qt_attribution.json

@@ -4,7 +4,10 @@
     "Name": "Unicode Character Database (UCD)",
     "QDocModule": "qtcore",
     "QtUsage": "Qt Core uses data obtained from UCD files for working with characters and strings.",
-    "Comment": { "Files": "For update, see qtbase/util/unicode/README" },
+    "Comment": {
+        "Files": "For update, see qtbase/util/unicode/README",
+        "General": "no relevant CPE and PURL found"
+    },
     "Files": [ "qunicodetables_p.h", "qunicodetables.cpp" ],
 
     "Description": "The Unicode Character Database (UCD) is a set of files that
@@ -27,7 +30,10 @@
     "Name": "Unicode Common Locale Data Repository (CLDR)",
     "QDocModule": "qtcore",
     "QtUsage": "Used in Qt Core (QTimeZone, QLocale).",
-    "Comment": { "Files": "For update, see qtbase/util/locale_database/cldr2qlocalexml.py" },
+    "Comment": {
+        "Files": "For update, see qtbase/util/locale_database/cldr2qlocalexml.py",
+        "General": "no relevant CPE and PURL found"
+    },
     "Files": [ "qlocale_data_p.h",
                "../time/qtimezoneprivate_data_p.h", "../time/qhijricalendar_data_p.h",
                "../time/qjalalicalendar_data_p.h", "../time/qromancalendar_data_p.h",