From e2ba5d905380e0d194e7ff17edfb8b45046b49a9 Mon Sep 17 00:00:00 2001 From: Alexandru Croitor Date: Wed, 24 Jul 2024 17:33:17 +0200 Subject: [PATCH] CMake: Add PURL and CPE info to 3rd party attribution files The change adds CPE and PURL keys to all qt_attribution.json files in the repo. In case if no sensible CPE or PURL exists, a "Comment" field is added with the text "no relevant CPE or PURL found". If only one of them does not exist, it is written as such in the Comment field. This allows filtering for files that haven't had the information added yet vs those that were looked up but no relevant information was found. For sources that are not hosted on github, a generic PURL is used with a download_url fragment pointing either to the exact location where the sources can be downloaded, or to the homepage of the project. The generic package name was chosen based on the 'Id' key of the attribution entry where it was present, and is not authoritative. For PURL github packages, the 'git tag' name was specified into the 'version' part of the PURL, rather than the 'version number', because SBOM processing tooling handle that better than the version number. For example for the freetype package, we specify the string 'VER-2-13-3' rather than the tag name '2.13.3'. We might revisit this in the future. [ChangeLog][Third-Party Code] Added PURL and CPE information to the attribution files of 3rd party sources. Task-number: QTBUG-122899 Task-number: QTBUG-129602 Change-Id: Iad126242cafc3ea0b678c5c36b26f857039b1dbd Reviewed-by: Alexey Edelev (cherry picked from commit 36dca3c04f759449f74008a3e79021a179b0f35e) --- src/3rdparty/D3D12MemoryAllocator/qt_attribution.json | 4 +++- .../VulkanMemoryAllocator/qt_attribution.json | 4 +++- src/3rdparty/android/qt_attribution.json | 3 ++- src/3rdparty/blake2/qt_attribution.json | 2 ++ src/3rdparty/double-conversion/qt_attribution.json | 2 ++ src/3rdparty/easing/qt_attribution.json | 2 +- src/3rdparty/forkfd/qt_attribution.json | 2 +- src/3rdparty/freetype/qt_attribution.json | 6 ++++++ src/3rdparty/gradle/qt_attribution.json | 2 ++ src/3rdparty/harfbuzz-ng/qt_attribution.json | 3 ++- src/3rdparty/icc/qt_attribution.json | 3 ++- src/3rdparty/libjpeg/qt_attribution.json | 2 ++ src/3rdparty/libpng/qt_attribution.json | 2 ++ src/3rdparty/libpsl/qt_attribution.json | 7 +++++-- src/3rdparty/md4/qt_attribution.json | 2 +- src/3rdparty/md4c/qt_attribution.json | 2 ++ src/3rdparty/md5/qt_attribution.json | 2 +- src/3rdparty/pcre2/CMakeLists.txt | 2 -- src/3rdparty/pcre2/qt_attribution.json | 4 ++++ src/3rdparty/pixman/qt_attribution.json | 4 +++- src/3rdparty/rfc6234/qt_attribution.json | 2 +- src/3rdparty/sha1/qt_attribution.json | 4 +++- src/3rdparty/sha3/qt_attribution.json | 10 +++++++--- src/3rdparty/siphash/qt_attribution.json | 4 +++- src/3rdparty/sqlite/qt_attribution.json | 2 ++ src/3rdparty/tinycbor/qt_attribution.json | 2 ++ src/3rdparty/wasm/qt_attribution.json | 4 +++- src/3rdparty/wintab/qt_attribution.json | 2 +- src/3rdparty/xcb/qt_attribution.json | 4 +++- src/3rdparty/zlib/qt_attribution.json | 2 ++ src/corelib/kernel/qt_attribution.json | 2 +- src/corelib/mimetypes/3rdparty/qt_attribution.json | 2 ++ src/corelib/text/qt_attribution.json | 10 ++++++++-- src/dbus/qt_attribution.json | 4 +++- src/gui/opengl/qt_attribution.json | 8 ++++++-- src/gui/painting/qt_attribution.json | 11 ++++++++--- src/gui/rhi/qt_attribution.json | 4 +++- src/gui/text/qt_attribution.json | 4 +++- src/gui/vulkan/qt_attribution.json | 2 ++ src/plugins/platforms/cocoa/qt_attribution.json | 3 ++- src/testlib/3rdparty/catch2/qt_attribution.json | 8 ++++++-- src/testlib/3rdparty/cycle/qt_attribution.json | 4 +++- src/testlib/3rdparty/linux/qt_attribution.json | 4 +++- src/testlib/3rdparty/valgrind/qt_attribution.json | 4 +++- util/gradientgen/qt_attribution.json | 1 + 45 files changed, 127 insertions(+), 40 deletions(-) diff --git a/src/3rdparty/D3D12MemoryAllocator/qt_attribution.json b/src/3rdparty/D3D12MemoryAllocator/qt_attribution.json index 3bb1be825d2..a415b5adbc0 100644 --- a/src/3rdparty/D3D12MemoryAllocator/qt_attribution.json +++ b/src/3rdparty/D3D12MemoryAllocator/qt_attribution.json @@ -8,9 +8,11 @@ "Homepage": "https://github.com/GPUOpen-LibrariesAndSDKs/D3D12MemoryAllocator", "Version": "f128d39b7a95b4235bd228d231646278dc6c24b2", + "PURL": "pkg:github/GPUOpen-LibrariesAndSDKs/D3D12MemoryAllocator@f128d39b7a95b4235bd228d231646278dc6c24b2", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "LICENSE.txt", - "Copyright": "Copyright (c) 2019-2022 Advanced Micro Devices, Inc. All rights reserved." + "Copyright": "Copyright (c) 2019-2022 Advanced Micro Devices, Inc. All rights reserved.", + "Comment": "no relevant CPE found" } ] diff --git a/src/3rdparty/VulkanMemoryAllocator/qt_attribution.json b/src/3rdparty/VulkanMemoryAllocator/qt_attribution.json index 52581bbb7ea..32d76dcba65 100644 --- a/src/3rdparty/VulkanMemoryAllocator/qt_attribution.json +++ b/src/3rdparty/VulkanMemoryAllocator/qt_attribution.json @@ -8,9 +8,11 @@ "Homepage": "https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator", "Version": "3.0.1", + "PURL": "pkg:github/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator@v3.0.1", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "LICENSE.txt", - "Copyright": "Copyright (c) 2017-2022 Advanced Micro Devices, Inc. All rights reserved." + "Copyright": "Copyright (c) 2017-2024 Advanced Micro Devices, Inc. All rights reserved.", + "Comment": "no relevant CPE found" } ] diff --git a/src/3rdparty/android/qt_attribution.json b/src/3rdparty/android/qt_attribution.json index c1f89fd8bd9..9660cb17c79 100644 --- a/src/3rdparty/android/qt_attribution.json +++ b/src/3rdparty/android/qt_attribution.json @@ -7,5 +7,6 @@ "License": "Apache License 2.0", "LicenseId": "Apache-2.0", "LicenseFile": "LICENSE", - "Copyright": "Copyright (C) 2005 The Android Open Source Project" + "Copyright": "Copyright (C) 2005 The Android Open Source Project", + "Comment": "no relevant PURL or CPE found" } diff --git a/src/3rdparty/blake2/qt_attribution.json b/src/3rdparty/blake2/qt_attribution.json index ad1116f53ea..1b79392b05f 100644 --- a/src/3rdparty/blake2/qt_attribution.json +++ b/src/3rdparty/blake2/qt_attribution.json @@ -9,6 +9,8 @@ "Homepage": "https://blake2.net/", "Version": "54f4faa4c16ea34bcd59d16e8da46a64b259fc07", "DownloadLocation": "https://github.com/BLAKE2/BLAKE2/tree/54f4faa4c16ea34bcd59d16e8da46a64b259fc07", + "PURL": "pkg:github/BLAKE2/BLAKE2@54f4faa4c16ea34bcd59d16e8da46a64b259fc07", + "CPE": "cpe:2.3:a:blake2:blake2:*:*:*:*:*:*:*:*", "License": "Creative Commons Zero v1.0 Universal or Apache License 2.0", "LicenseId": "CC0-1.0 OR Apache-2.0", "LicenseFile": "COPYING", diff --git a/src/3rdparty/double-conversion/qt_attribution.json b/src/3rdparty/double-conversion/qt_attribution.json index 4166ccef322..c374d5ac4bc 100644 --- a/src/3rdparty/double-conversion/qt_attribution.json +++ b/src/3rdparty/double-conversion/qt_attribution.json @@ -7,6 +7,8 @@ "Homepage": "https://github.com/google/double-conversion", "Version": "3.3.0", "DownloadLocation": "https://github.com/google/double-conversion/releases/tag/v3.3.0", + "PURL": "pkg:github/google/double-conversion@v3.3.0", + "CPE": "cpe:2.3:a:google:double-conversion:3.3.0:*:*:*:*:*:*:*", "License": "BSD 3-clause \"New\" or \"Revised\" License", "LicenseId": "BSD-3-Clause", "LicenseFile": "LICENSE", diff --git a/src/3rdparty/easing/qt_attribution.json b/src/3rdparty/easing/qt_attribution.json index 1535efa585a..154d7a06038 100644 --- a/src/3rdparty/easing/qt_attribution.json +++ b/src/3rdparty/easing/qt_attribution.json @@ -5,7 +5,7 @@ "QtUsage": "Used in Qt Core (QEasingCurve).", "Files": "easing.cpp", - "Comment": "treat as final", + "Comment": "treat as final, no relevant PURL or CPE found", "Homepage": "http://robertpenner.com/easing/", "License": "BSD 3-clause \"New\" or \"Revised\" License", "LicenseId": "BSD-3-Clause", diff --git a/src/3rdparty/forkfd/qt_attribution.json b/src/3rdparty/forkfd/qt_attribution.json index 1b847791331..6ba54c18cb6 100644 --- a/src/3rdparty/forkfd/qt_attribution.json +++ b/src/3rdparty/forkfd/qt_attribution.json @@ -3,7 +3,7 @@ "Name": "forkfd", "QDocModule": "qtcore", "QtUsage": "Used on most Unix platforms in Qt Core.", - "Comment": "No upstream; treat as final", + "Comment": "No upstream; treat as final, no relevant PURL or CPE found", "Files": [ "forkfd.c", "forkfd.h", "forkfd_gcc.h" ], "License": "MIT License", diff --git a/src/3rdparty/freetype/qt_attribution.json b/src/3rdparty/freetype/qt_attribution.json index 6dd4bf1575a..26c7137251f 100644 --- a/src/3rdparty/freetype/qt_attribution.json +++ b/src/3rdparty/freetype/qt_attribution.json @@ -10,6 +10,12 @@ "Homepage": "http://www.freetype.org", "Version": "2.13.3", "DownloadLocation": "https://download.savannah.gnu.org/releases/freetype/freetype-2.13.3.tar.gz", + "PURL": [ + "pkg:github/freetype/freetype@VER-2-13-3" + ], + "CPE": [ + "cpe:2.3:a:freetype:freetype:2.13:3:*:*:*:*:*:*" + ], "License": "Freetype Project License or GNU General Public License v2.0 only", "LicenseId": "FTL OR GPL-2.0-only", diff --git a/src/3rdparty/gradle/qt_attribution.json b/src/3rdparty/gradle/qt_attribution.json index 26e39eab5b3..7c102945bed 100644 --- a/src/3rdparty/gradle/qt_attribution.json +++ b/src/3rdparty/gradle/qt_attribution.json @@ -6,6 +6,8 @@ "Homepage": "https://gradle.org", "Version": "8.10", "DownloadLocation": "https://github.com/gradle/gradle/releases/tag/v8.10.0", + "PURL": "pkg:github/gradle/gradle@v8.10.0", + "CPE": "cpe:2.3:a:gradle:gradle:8.10.0:*:*:*:*:*:*:*", "QtUsage": "Needed to create Android packages", "License": "Apache License 2.0", "LicenseId": "Apache-2.0", diff --git a/src/3rdparty/harfbuzz-ng/qt_attribution.json b/src/3rdparty/harfbuzz-ng/qt_attribution.json index b338da6bfeb..82f133443be 100644 --- a/src/3rdparty/harfbuzz-ng/qt_attribution.json +++ b/src/3rdparty/harfbuzz-ng/qt_attribution.json @@ -9,7 +9,8 @@ "Homepage": "http://harfbuzz.org", "Version": "10.1.0", "DownloadLocation": "https://github.com/harfbuzz/harfbuzz/releases/tag/10.1.0", - + "PURL": "pkg:github/harfbuzz/harfbuzz@10.1.0", + "CPE": "cpe:2.3:a:harfbuzz_project:harfbuzz:10.1.0:*:*:*:*:*:*:*", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "COPYING", diff --git a/src/3rdparty/icc/qt_attribution.json b/src/3rdparty/icc/qt_attribution.json index d2e68076714..3e46223fb59 100644 --- a/src/3rdparty/icc/qt_attribution.json +++ b/src/3rdparty/icc/qt_attribution.json @@ -6,9 +6,10 @@ "QtUsage": "Used in Qt Gui (Embedded into PDF/A-1b files generated by QPrinter/QPdfWriter).", "Files": "sRGB2014.icc", - "Comment": "No upstream: treat as final", + "Comment": "No upstream: treat as final, no relevant CPE found", "Description": "An ICC color profile for PDF/A-1b compatible PDF files.", "Homepage": "http://www.color.org/", + "PURL": "pkg:generic/icc-sRGB-color-profile?download_url=http://www.color.org/", "LicenseId": "LicenseRef-ICC-License", "License": "International Color Consortium License", "LicenseFile": "LICENSE.txt", diff --git a/src/3rdparty/libjpeg/qt_attribution.json b/src/3rdparty/libjpeg/qt_attribution.json index bff272dec99..b65fc7fb60c 100644 --- a/src/3rdparty/libjpeg/qt_attribution.json +++ b/src/3rdparty/libjpeg/qt_attribution.json @@ -9,6 +9,8 @@ "Homepage": "http://libjpeg-turbo.virtualgl.org/", "Version": "3.0.4", "DownloadLocation": "https://github.com/libjpeg-turbo/libjpeg-turbo/releases/download/3.0.4/libjpeg-turbo-3.0.4.tar.gz", + "PURL": "pkg:github/libjpeg-turbo/libjpeg-turbo@3.0.4", + "CPE": "cpe:2.3:a:libjpeg-turbo:libjpeg-turbo:3.0.4:*:*:*:*:*:*:*", "License": "Independent JPEG Group License and BSD 3-Clause \"New\" or \"Revised\" License", "LicenseId": "IJG AND BSD-3-Clause", diff --git a/src/3rdparty/libpng/qt_attribution.json b/src/3rdparty/libpng/qt_attribution.json index 58b110e8e97..6d9995381ce 100644 --- a/src/3rdparty/libpng/qt_attribution.json +++ b/src/3rdparty/libpng/qt_attribution.json @@ -9,6 +9,8 @@ "Homepage": "http://www.libpng.org/pub/png/libpng.html", "Version": "1.6.44", "DownloadLocation": "https://download.sourceforge.net/libpng/libpng-1.6.44.tar.xz", + "PURL": "pkg:github/pnggroup/libpng@v1.6.44", + "CPE": "cpe:2.3:a:libpng:libpng:1.6.44:*:*:*:*:*:*:*", "License": "libpng License and PNG Reference Library version 2", "LicenseId": "Libpng AND libpng-2.0", diff --git a/src/3rdparty/libpsl/qt_attribution.json b/src/3rdparty/libpsl/qt_attribution.json index cb5ad65a4db..02d42edbc12 100644 --- a/src/3rdparty/libpsl/qt_attribution.json +++ b/src/3rdparty/libpsl/qt_attribution.json @@ -19,9 +19,10 @@ supported by Qt (by the QNetworkCookieJar class).", "Comment": "Consult https://github.com/publicsuffix/list for the sha1 but download from ...", "Homepage": "http://publicsuffix.org/", - "Comment": "Suggested update schedule: twice per year (before a 6.x.0 release)", + "Comment": "Suggested update schedule: twice per year (before a 6.x.0 release), no relevant CPE found", "Version": "903a83ff7bfc3148e3692e09396f9f3bdc9462ef, fetched on 2024-06-05", "DownloadLocation": "https://publicsuffix.org/list/public_suffix_list.dat", + "PURL": "pkg:generic/psl-data@903a83ff7bfc3148e3692e09396f9f3bdc9462ef?download_url=https://publicsuffix.org/list/public_suffix_list.dat", "License": "Mozilla Public License 2.0", "LicenseFile": "PSL-LICENSE.txt", @@ -38,9 +39,11 @@ supported by Qt (by the QNetworkCookieJar class).", to lookup entries in it.", "Homepage": "https://github.com/rockdaboot/libpsl", "Version": "664f3dc85259ec65e30248a61fa1c45b7b0e4c3f", + "PURL": "pkg:github/rockdaboot/libpsl@664f3dc85259ec65e30248a61fa1c45b7b0e4c3f", "License": "BSD 3-clause \"New\" or \"Revised\" License", "LicenseFile": "src/LICENSE.chromium", "LicenseId": "BSD-3-Clause", - "Copyright": "Copyright 2014-2016 The Chromium Authors. All rights reserved." + "Copyright": "Copyright 2014-2016 The Chromium Authors. All rights reserved.", + "Comment": "no relevant CPE found" } ] diff --git a/src/3rdparty/md4/qt_attribution.json b/src/3rdparty/md4/qt_attribution.json index f61d6b97c86..757c7996ab7 100644 --- a/src/3rdparty/md4/qt_attribution.json +++ b/src/3rdparty/md4/qt_attribution.json @@ -4,7 +4,7 @@ "QDocModule": "qtcore", "QtUsage": "Used in Qt Core (QCryptographicHash).", - "Comment": "Treat as final version; no upstream known", + "Comment": "Treat as final version; no upstream known, no relevant CPE or PURL found", "Description": "An OpenSSL-compatible implementation of the RSA Data Security, Inc. MD4 Message-Digest Algorithm.", "License": "Public Domain", "LicenseId": "CC0-1.0", diff --git a/src/3rdparty/md4c/qt_attribution.json b/src/3rdparty/md4c/qt_attribution.json index db53e2d12e1..59578e2eecf 100644 --- a/src/3rdparty/md4c/qt_attribution.json +++ b/src/3rdparty/md4c/qt_attribution.json @@ -12,5 +12,7 @@ "LicenseFile": "LICENSE.md", "Version": "0.5.2", "DownloadLocation": "https://github.com/mity/md4c/releases/tag/release-0.5.2", + "PURL": "pkg:github/mity/md4c@release-0.5.2", + "CPE": "cpe:2.3:a:md4c_project:md4c:0.5.2:*:*:*:*:*:*:*", "Copyright": "Copyright © 2016-2024 Martin Mitáš" } diff --git a/src/3rdparty/md5/qt_attribution.json b/src/3rdparty/md5/qt_attribution.json index 22165a6a0db..0c2f5feda8a 100644 --- a/src/3rdparty/md5/qt_attribution.json +++ b/src/3rdparty/md5/qt_attribution.json @@ -4,7 +4,7 @@ "QDocModule": "qtcore", "QtUsage": "Used in Qt Core (QCryptographicHash).", - "Comment": "Treat as final version; no upstream known", + "Comment": "Treat as final version; no upstream known, no relevant CPE or PURL found", "Description": "MD5 message-digest algorithm.", "License": "Public Domain", "LicenseId": "CC0-1.0", diff --git a/src/3rdparty/pcre2/CMakeLists.txt b/src/3rdparty/pcre2/CMakeLists.txt index ec549515d28..22b90a57e1a 100644 --- a/src/3rdparty/pcre2/CMakeLists.txt +++ b/src/3rdparty/pcre2/CMakeLists.txt @@ -45,8 +45,6 @@ qt_internal_add_3rdparty_library(BundledPcre2 PCRE2_CODE_UNIT_WIDTH=16 PUBLIC_INCLUDE_DIRECTORIES $ - CPE_VENDOR "pcre" - CPE_PRODUCT "pcre2" ) qt_disable_warnings(BundledPcre2) qt_set_symbol_visibility_hidden(BundledPcre2) diff --git a/src/3rdparty/pcre2/qt_attribution.json b/src/3rdparty/pcre2/qt_attribution.json index d9dc1ae6976..9ac498650c3 100644 --- a/src/3rdparty/pcre2/qt_attribution.json +++ b/src/3rdparty/pcre2/qt_attribution.json @@ -10,6 +10,8 @@ "Homepage": "http://www.pcre.org/", "Version": "10.44", "DownloadLocation": "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.44/pcre2-10.44.tar.bz2", + "PURL": "pkg:github/PCRE2Project/pcre2@pcre2-10.44", + "CPE": "cpe:2.3:a:pcre:pcre2:10.44:*:*:*:*:*:*:*", "License": "BSD 3-clause \"New\" or \"Revised\" License with PCRE2 binary-like Packages Exception", "LicenseId": "LicenseRef-BSD-3-Clause-with-PCRE2-Binary-Like-Packages-Exception", "LicenseFile": "LICENCE", @@ -27,6 +29,8 @@ "Homepage": "http://www.pcre.org/", "Version": "10.44", "DownloadLocation": "https://github.com/PCRE2Project/pcre2/releases/download/pcre2-10.44/pcre2-10.44.tar.bz2", + "PURL": "pkg:github/PCRE2Project/pcre2@10.44", + "CPE": "cpe:2.3:a:pcre:pcre2:10.44:*:*:*:*:*:*:*", "License": "BSD 2-clause \"Simplified\" License", "LicenseId": "BSD-2-Clause", "LicenseFile": "LICENCE-SLJIT", diff --git a/src/3rdparty/pixman/qt_attribution.json b/src/3rdparty/pixman/qt_attribution.json index 1268b2e22f4..8fe97b4199c 100644 --- a/src/3rdparty/pixman/qt_attribution.json +++ b/src/3rdparty/pixman/qt_attribution.json @@ -7,8 +7,10 @@ "Description": "pixman is a library that provides low-level pixel manipulation features such as image compositing and trapezoid rasterization.", "Homepage": "http://www.pixman.org/", "Version": "0.17.12", + "PURL": "pkg:generic/pixman@0.17.12?download_url=http://www.pixman.org/", "License": "MIT License", "LicenseFile": "LICENSE", "LicenseId": "MIT", - "Copyright": "Copyright © 2009 Nokia Corporation" + "Copyright": "Copyright © 2009 Nokia Corporation", + "Comment": "no relevant CPE found" } diff --git a/src/3rdparty/rfc6234/qt_attribution.json b/src/3rdparty/rfc6234/qt_attribution.json index 3876dc00b41..282590da0ba 100644 --- a/src/3rdparty/rfc6234/qt_attribution.json +++ b/src/3rdparty/rfc6234/qt_attribution.json @@ -4,7 +4,7 @@ "QDocModule": "qtcore", "QtUsage": "Used in Qt Core (QCryptographicHash and QMessageAuthenticationCode)", - "Comment": "The RFC actually contains the code, embedded in RFC-boilerplate; presumably we extracted it; treat as final", + "Comment": "The RFC actually contains the code, embedded in RFC-boilerplate; presumably we extracted it; treat as final, no relevant CPE or PURL found", "Description": "Implements the Secure Hash Algorithms SHA 384 and SHA-521", "License": "BSD 3-clause \"New\" or \"Revised\" License", "LicenseFile": "LICENSE", diff --git a/src/3rdparty/sha1/qt_attribution.json b/src/3rdparty/sha1/qt_attribution.json index 4530add814e..04933a27005 100644 --- a/src/3rdparty/sha1/qt_attribution.json +++ b/src/3rdparty/sha1/qt_attribution.json @@ -5,9 +5,11 @@ "QtUsage": "Used in Qt Core (QCryptographicHash).", "Description": "Implements the Secure Hash Algorithms SHA 1", + "PURL": "pkg:generic/csha1?download_url=https://www.dominik-reichl.de/projects/csha1/", "Homepage": "http://www.dominik-reichl.de/projects/csha1/", "License": "Public Domain", "LicenseId": "LicenseRef-SHA1-Public-Domain", "Copyright": ["Copyright (C) Dominik Reichl ", - "Copyright (C) 2016 The Qt Company Ltd"] + "Copyright (C) 2016 The Qt Company Ltd"], + "Comment": "no relevant CPE found" } diff --git a/src/3rdparty/sha3/qt_attribution.json b/src/3rdparty/sha3/qt_attribution.json index 1bd974144ba..c91e88affb6 100644 --- a/src/3rdparty/sha3/qt_attribution.json +++ b/src/3rdparty/sha3/qt_attribution.json @@ -8,11 +8,13 @@ "Files": "brg_endian.h", "Description": "SHA-3, originally known as Keccak, is a cryptographic hash function.", - "Version": "https://github.com/BrianGladman/sha/ commit 4b9e13ead2c5b5e41ca27c65de4dd69ae0bac228", + "Version": "4b9e13ead2c5b5e41ca27c65de4dd69ae0bac228", + "PURL": "pkg:github/BrianGladman/sha@4b9e13ead2c5b5e41ca27c65de4dd69ae0bac228", "License": "BSD 2-clause \"Simplified\" License", "LicenseFile": "BRG_ENDIAN_LICENSE", "LicenseId": "BSD-2-Clause", - "Copyright": "Copyright (c) 1998-2013, Brian Gladman, Worcester, UK. All rights reserved." + "Copyright": "Copyright (c) 1998-2013, Brian Gladman, Worcester, UK. All rights reserved.", + "Comment": "no relevant CPE found" }, { "Id": "sha3_keccak", @@ -36,10 +38,12 @@ "Description": "SHA-3, originally known as Keccak, is a cryptographic hash function.", "Version": "3.2", + "PURL": "pkg:generic/sha3_keccak@3.2?download_url=https://keccak.team/obsolete/KeccakReferenceAndOptimized-3.2.zip", "License": "Creative Commons Zero v1.0 Universal", "LicenseId": "CC0-1.0", "LicenseFile": "CC0_LICENSE", "Copyright": "Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche.\nTo the extent possible under law, the implementers have waived all copyright -and related or neighboring rights to the source code in this file." +and related or neighboring rights to the source code in this file.", + "Comment": "no relevant CPE found" } ] diff --git a/src/3rdparty/siphash/qt_attribution.json b/src/3rdparty/siphash/qt_attribution.json index 9c74513e499..1687742f03f 100644 --- a/src/3rdparty/siphash/qt_attribution.json +++ b/src/3rdparty/siphash/qt_attribution.json @@ -8,6 +8,7 @@ "Description": "Implements the SipHash algorithm.", "Homepage": "https://131002.net/siphash/", "DownloadLocation": "https://raw.githubusercontent.com/veorq/SipHash/adcbf09b1684a718f594faa650ffc56bacdb0777/siphash24.c", + "PURL": "pkg:github/veorq/SipHash@adcbf09b1684a718f594faa650ffc56bacdb0777", "License": "Creative Commons Zero v1.0 Universal", "LicenseId": "CC0-1.0", @@ -15,5 +16,6 @@ "Copyright (C) 2012-2014 Jean-Philippe Aumasson", "Copyright (C) 2012-2014 Daniel J. Bernstein ", "Copyright (C) 2016 Intel Corporation" - ] + ], + "Comment": "no relevant CPE found" } diff --git a/src/3rdparty/sqlite/qt_attribution.json b/src/3rdparty/sqlite/qt_attribution.json index 0d2b2da5761..a09b7f461e9 100644 --- a/src/3rdparty/sqlite/qt_attribution.json +++ b/src/3rdparty/sqlite/qt_attribution.json @@ -8,6 +8,8 @@ "Description": "SQLite is a small C library that implements a self-contained, embeddable, zero-configuration SQL database engine.", "Homepage": "https://www.sqlite.org/", "Version": "3.47.0", + "PURL": "pkg:github/sqlite/sqlite@version-3.47.0", + "CPE": "cpe:2.3:a:sqlite:sqlite:3.47.0:*:*:*:*:*:*:*", "DownloadLocation": "https://www.sqlite.org/2024/sqlite-amalgamation-3470000.zip", "License": "SQLite Blessing", "LicenseId": "blessing", diff --git a/src/3rdparty/tinycbor/qt_attribution.json b/src/3rdparty/tinycbor/qt_attribution.json index b19c57904b4..9bebd487615 100644 --- a/src/3rdparty/tinycbor/qt_attribution.json +++ b/src/3rdparty/tinycbor/qt_attribution.json @@ -11,6 +11,8 @@ "LicenseId": "MIT", "LicenseFile": "LICENSE", "DownloadLocation": "https://github.com/intel/tinycbor/archive/v0.6.0/tinycbor-0.6.0.tar.gz", + "PURL": "pkg:github/intel/tinycbor@v0.6.0", + "CPE": "cpe:2.3:a:tinycbor:tinycbor:0.6.0:*:*:*:*:*:*:*", "Version": "0.6.0", "Copyright": "Copyright (C) 2015-2021 Intel Corporation" } diff --git a/src/3rdparty/wasm/qt_attribution.json b/src/3rdparty/wasm/qt_attribution.json index 8cf67cefb7b..7d5015eb9a1 100644 --- a/src/3rdparty/wasm/qt_attribution.json +++ b/src/3rdparty/wasm/qt_attribution.json @@ -9,11 +9,13 @@ "Homepage": "https://dejavu-fonts.github.io/", "Version": "2.37", + "PURL": "pkg:generic/dejayvu@2.37?download_url=https://dejavu-fonts.github.io/", "License": "Bitstream Vera Font License", "LicenseId": "Bitstream-Vera", "LicenseFile": "DEJAVU-LICENSE", "Copyright": ["Copyright (c) 2003 by Bitstream, Inc", "Copyright (c) 2006 by Tavmjong Bah", - "(c) American Mathematical Society"] + "(c) American Mathematical Society"], + "Comment": "no relevant CPE found" } ] diff --git a/src/3rdparty/wintab/qt_attribution.json b/src/3rdparty/wintab/qt_attribution.json index 82670f8fa2f..6c3a0ef6fe6 100644 --- a/src/3rdparty/wintab/qt_attribution.json +++ b/src/3rdparty/wintab/qt_attribution.json @@ -6,7 +6,7 @@ "Files": ["pktdef.h", "wintab.h"], "Description": "Wintab is a de facto API for pointing devices on Windows.", - "PackageComment": "Upstream http://www.pointing.com/Wintab.html no longer offers updates; treat as final", + "PackageComment": "Upstream http://www.pointing.com/Wintab.html no longer offers updates; treat as final, no relevant CPE and PURL found", "License": "LCS-Telegraphics License", "LicenseId": "LicenseRef-Lcs-Telegraphics", "Copyright": "Copyright 1991-1998 by LCS/Telegraphics." diff --git a/src/3rdparty/xcb/qt_attribution.json b/src/3rdparty/xcb/qt_attribution.json index dce3977905c..26dc030a3ee 100644 --- a/src/3rdparty/xcb/qt_attribution.json +++ b/src/3rdparty/xcb/qt_attribution.json @@ -7,10 +7,12 @@ the system, pass -no-bundled-xcb-xinput.", "Description": "XInput 2 extension for XCB (The X protocol C-language Binding) library.", "Homepage": "https://xcb.freedesktop.org/", + "PURL": "pkg:generic/xcb-xinput?download_url=http://xcb.freedesktop.org/", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "LICENSE", "Copyright": ["Copyright (C) 2001-2006 Bart Massey, Jamey Sharp, and Josh Triplett.", "Copyright (C) 2006 Peter Hutterer", - "Copyright (C) 2013 Daniel Martin"] + "Copyright (C) 2013 Daniel Martin"], + "Comment": "no relevant CPE found" } diff --git a/src/3rdparty/zlib/qt_attribution.json b/src/3rdparty/zlib/qt_attribution.json index 88ed202db14..c4ed4de2ddd 100644 --- a/src/3rdparty/zlib/qt_attribution.json +++ b/src/3rdparty/zlib/qt_attribution.json @@ -9,6 +9,8 @@ "Homepage": "https://zlib.net/", "Version": "1.3.1", "DownloadLocation": "https://github.com/madler/zlib/releases/download/v1.3.1/zlib-1.3.1.tar.gz", + "PURL": "pkg:github/madler/zlib@v1.3.1", + "CPE": "cpe:2.3:a:zlib:zlib:1.3.1:*:*:*:*:*:*:*", "License": "zlib License", "LicenseId": "Zlib", diff --git a/src/corelib/kernel/qt_attribution.json b/src/corelib/kernel/qt_attribution.json index 86ca3a26640..32292460115 100644 --- a/src/corelib/kernel/qt_attribution.json +++ b/src/corelib/kernel/qt_attribution.json @@ -5,7 +5,7 @@ "QtUsage": "Used in Qt Core on macOS.", "Files": "qeventdispatcher_cf_p.h", - "Comment": "Treat as final version; no upstream known", + "Comment": "Treat as final version; no upstream known, no relevant CPE and PURL found", "Description": "Implementation of QAbstractEventDispatcher for macOS.", "License": "BSD 3-clause \"New\" or \"Revised\" License", "LicenseId": "BSD-3-Clause", diff --git a/src/corelib/mimetypes/3rdparty/qt_attribution.json b/src/corelib/mimetypes/3rdparty/qt_attribution.json index 0efdf1b46c3..bb9828595d6 100644 --- a/src/corelib/mimetypes/3rdparty/qt_attribution.json +++ b/src/corelib/mimetypes/3rdparty/qt_attribution.json @@ -19,6 +19,8 @@ "Version": "5101bc7fb090ed7deffe56837d7633c9485a1e5d", "DownloadLocation": "https://github.com/apache/tika/blob/5101bc7fb090ed7deffe56837d7633c9485a1e5d/tika-core/src/main/resources/org/apache/tika/mime/tika-mimetypes.xml", + "PURL": "pkg:github/apache/tika@5101bc7fb090ed7deffe56837d7633c9485a1e5d#tika-core/src/main/resources/org/apache/tika/mime/tika-mimetypes.xml", + "CPE": "cpe:2.3:a:apache:tika:*:*:*:*:*:*:*:*", "License": "Apache License 2.0", "LicenseId": "Apache-2.0", "Copyright": "Copyright 2024 The Apache Software Foundation" diff --git a/src/corelib/text/qt_attribution.json b/src/corelib/text/qt_attribution.json index 55d8e872cb0..c08aa915e5a 100644 --- a/src/corelib/text/qt_attribution.json +++ b/src/corelib/text/qt_attribution.json @@ -4,7 +4,10 @@ "Name": "Unicode Character Database (UCD)", "QDocModule": "qtcore", "QtUsage": "Qt Core uses data obtained from UCD files for working with characters and strings.", - "Comment": { "Files": "For update, see qtbase/util/unicode/README" }, + "Comment": { + "Files": "For update, see qtbase/util/unicode/README", + "General": "no relevant CPE and PURL found" + }, "Files": [ "qunicodetables_p.h", "qunicodetables.cpp" ], "Description": "The Unicode Character Database (UCD) is a set of files that @@ -27,7 +30,10 @@ "Name": "Unicode Common Locale Data Repository (CLDR)", "QDocModule": "qtcore", "QtUsage": "Used in Qt Core (QTimeZone, QLocale).", - "Comment": { "Files": "For update, see qtbase/util/locale_database/cldr2qlocalexml.py" }, + "Comment": { + "Files": "For update, see qtbase/util/locale_database/cldr2qlocalexml.py", + "General": "no relevant CPE and PURL found" + }, "Files": [ "qlocale_data_p.h", "../time/qtimezoneprivate_data_p.h", "../time/qhijricalendar_data_p.h", "../time/qjalalicalendar_data_p.h", "../time/qromancalendar_data_p.h", diff --git a/src/dbus/qt_attribution.json b/src/dbus/qt_attribution.json index a4c4446862f..ee565760f11 100644 --- a/src/dbus/qt_attribution.json +++ b/src/dbus/qt_attribution.json @@ -8,11 +8,13 @@ "Homepage": "https://www.freedesktop.org/wiki/Software/dbus/", "Version": "Minimal supported is 1.2, compatible up to ...", "Version": "dbus-1.13.12", + "PURL": "pkg:github/d-bus/dbus@dbus-1.13.12", "LicenseId": "AFL-2.1 OR GPL-2.0-or-later", "License": "Academic Free License v2.1, or GNU General Public License v2.0 or later", "LicenseFile": "LIBDBUS-1-LICENSE.txt", "Comment": "Fragments from various upstream files, see comments in ...", "Files": "dbus_minimal_p.h", "Copyright": ["Copyright (C) 2002, 2003 CodeFactory AB", - "Copyright (C) 2004, 2005 Red Hat, Inc."] + "Copyright (C) 2004, 2005 Red Hat, Inc."], + "Comment": "no relevant CPE found" } diff --git a/src/gui/opengl/qt_attribution.json b/src/gui/opengl/qt_attribution.json index 44310980e2a..64fdd22cf4e 100644 --- a/src/gui/opengl/qt_attribution.json +++ b/src/gui/opengl/qt_attribution.json @@ -9,10 +9,12 @@ "Homepage": "https://www.khronos.org/", "Version": "Revision 27684", + "PURL": "pkg:generic/khronos-opengl-headers?download_url=https://www.khronos.org/?revision=27684", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "KHRONOS_LICENSE.txt", - "Copyright": "Copyright (c) 2013-2014 The Khronos Group Inc." + "Copyright": "Copyright (c) 2013-2014 The Khronos Group Inc.", + "Comment": "no relevant CPE found" }, { "Id": "opengl-es2-headers", @@ -24,9 +26,11 @@ "Homepage": "https://www.khronos.org/", "Version": "Revision 27673", + "PURL": "pkg:generic/khronos-opengl-es2-headers?download_url=https://www.khronos.org/?revision=27673", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "KHRONOS_LICENSE.txt", - "Copyright": "Copyright (c) 2013-2014 The Khronos Group Inc." + "Copyright": "Copyright (c) 2013-2014 The Khronos Group Inc.", + "Comment": "no relevant CPE found" } ] diff --git a/src/gui/painting/qt_attribution.json b/src/gui/painting/qt_attribution.json index 33ed2fd5c7b..74ab387133d 100644 --- a/src/gui/painting/qt_attribution.json +++ b/src/gui/painting/qt_attribution.json @@ -8,10 +8,12 @@ "Description": "FreeType is a freely available software library to render fonts.", "Homepage": "http://www.freetype.org", + "PURL": "pkg:generic/freetype-grayraster?download_url=https://www.freetype.org/", "License": "Freetype Project License or GNU General Public License v2.0 only", "LicenseId": "FTL OR GPL-2.0-only", "LicenseFile": "../../3rdparty/freetype/LICENSE.txt", - "Copyright": "Copyright 2000-2016 by David Turner, Robert Wilhelm, and Werner Lemberg." + "Copyright": "Copyright 2000-2016 by David Turner, Robert Wilhelm, and Werner Lemberg.", + "Comment": "no relevant CPE found" }, { "Id": "smooth-scaling-algorithm", @@ -26,7 +28,8 @@ "LicenseFile": "QIMAGETRANSFORM_LICENSE.txt", "Copyright": ["Copyright (C) 2004, 2005 Daniel M. Duley.", "(C) Carsten Haitzler and various contributors.", - "(C) Willem Monsuwe "] + "(C) Willem Monsuwe "], + "Comment": "no relevant CPE or PURL found" }, { "Id": "xserverhelper", @@ -37,10 +40,12 @@ "Description": "Code from X11's region.h, Region.c, poly.h, and PolyReg.c", "Homepage": "https://www.x.org/", + "PURL": "pkg:generic/xserverhelper?download_url=https://www.x.org/", "License": "X11 License and Historical Permission Notice and Disclaimer", "LicenseId": "X11 AND HPND", "LicenseFile": "XCONSORTIUM_LICENSE.txt", "Copyright": ["Copyright (c) 1987, 1988 X Consortium", - "Copyright 1987, 1988 by Digital Equipment Corporation, Maynard, Massachusetts."] + "Copyright 1987, 1988 by Digital Equipment Corporation, Maynard, Massachusetts."], + "Comment": "no relevant CPE found" } ] diff --git a/src/gui/rhi/qt_attribution.json b/src/gui/rhi/qt_attribution.json index e9329d41582..4e3a4ff3589 100644 --- a/src/gui/rhi/qt_attribution.json +++ b/src/gui/rhi/qt_attribution.json @@ -9,9 +9,11 @@ "Homepage": "https://github.com/microsoft/DirectX-Graphics-Samples", "Version": "0aa79bad78992da0b6a8279ddb9002c1753cb849", + "PURL": "pkg:github/microsoft/DirectX-Graphics-Samples@0aa79bad78992da0b6a8279ddb9002c1753cb849", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "MiniEngine_LICENSE.txt", - "Copyright": "Copyright (c) 2015 Microsoft" + "Copyright": "Copyright (c) 2015 Microsoft", + "Comment": "no relevant CPE found" } ] diff --git a/src/gui/text/qt_attribution.json b/src/gui/text/qt_attribution.json index f4998da6ea8..822dbdb953b 100644 --- a/src/gui/text/qt_attribution.json +++ b/src/gui/text/qt_attribution.json @@ -9,9 +9,11 @@ "Homepage": "https://github.com/adobe-type-tools/agl-aglfn", "Version": "1.7", + "PURL": "pkg:github/adobe-type-tools/agl-aglfn@1.7", "License": "BSD 3-Clause \"New\" or \"Revised\" License", "LicenseId": "BSD-3-Clause", "LicenseFile": "AGLFN_LICENSE.txt", - "Copyright": "Copyright 2002, 2003, 2005, 2006, 2008, 2010, 2015 Adobe Systems" + "Copyright": "Copyright 2002, 2003, 2005, 2006, 2008, 2010, 2015 Adobe Systems", + "Comment": "no relevant CPE found" } ] diff --git a/src/gui/vulkan/qt_attribution.json b/src/gui/vulkan/qt_attribution.json index b49e59954d2..375fcdb10ce 100644 --- a/src/gui/vulkan/qt_attribution.json +++ b/src/gui/vulkan/qt_attribution.json @@ -8,6 +8,8 @@ "Files": "vk.xml", "Homepage": "https://www.khronos.org/", + "PURL": "pkg:github/KhronosGroup/Vulkan-Docs@v1.3.223?download_url=https://github.com/KhronosGroup/Vulkan-Docs/blob/v1.3.223/xml/vk.xml", + "CPE": "cpe:2.3:a:khronos:vulkan:1.3.223:*:*:*:*:*:*:*", "Version": "1.3.223", "License": "Apache License 2.0 or MIT License", "LicenseId": "Apache-2.0 OR MIT", diff --git a/src/plugins/platforms/cocoa/qt_attribution.json b/src/plugins/platforms/cocoa/qt_attribution.json index 1da0d7e3708..615f24d0381 100644 --- a/src/plugins/platforms/cocoa/qt_attribution.json +++ b/src/plugins/platforms/cocoa/qt_attribution.json @@ -9,5 +9,6 @@ "LicenseId": "BSD-3-Clause", "License": "BSD 3-clause \"New\" or \"Revised\" License", "LicenseFile": "COCOA_LICENSE.txt", - "Copyright": "Copyright (c) 2007-2008, Apple, Inc." + "Copyright": "Copyright (c) 2007-2008, Apple, Inc.", + "Comment": "no relevant CPE or PURL found" } diff --git a/src/testlib/3rdparty/catch2/qt_attribution.json b/src/testlib/3rdparty/catch2/qt_attribution.json index 7c3b1618d79..8bac8bc2bb8 100644 --- a/src/testlib/3rdparty/catch2/qt_attribution.json +++ b/src/testlib/3rdparty/catch2/qt_attribution.json @@ -4,13 +4,17 @@ "Name": "Catch2", "QDocModule": "qttestlib", "QtUsage": "Used for testing of the Qt Test module.", - "Comment": { "UpstreamFile": "single_include/catch2/catch.hpp", - "Generator": "scripts/generateSingleHeader.py" }, + "Comment": { + "UpstreamFile": "single_include/catch2/catch.hpp", + "Generator": "scripts/generateSingleHeader.py", + "General": "no relevant CPE found" + }, "Files": "catch_p.h", "Description": "Catch2 is a multi-paradigm test framework for C++.", "Homepage": "https://github.com/catchorg/Catch2", "Version": "2.13.10", + "PURL": "pkg:github/catchorg/Catch2@v2.13.10", "License": "Boost Software License 1.0", "LicenseId": "BSL-1.0", "LicenseFile": "LICENSE.txt", diff --git a/src/testlib/3rdparty/cycle/qt_attribution.json b/src/testlib/3rdparty/cycle/qt_attribution.json index 89773e39c7e..dab1de85f60 100644 --- a/src/testlib/3rdparty/cycle/qt_attribution.json +++ b/src/testlib/3rdparty/cycle/qt_attribution.json @@ -12,13 +12,15 @@ "01-rename-ticks.patch", "02-preprocesor-checks.patch", "03-parisc-compile.patch" - ] + ], + "General": "no relevant CPE found" }, "Files": "cycle_p.h", "Description": "Allows to access the CPU's cycle counters.", "Homepage": "http://fftw.org/", "Version": "3.3.10", + "PURL": "pkg:github/FFTW/fftw3@fftw-3.3.10", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "LICENSE.txt", diff --git a/src/testlib/3rdparty/linux/qt_attribution.json b/src/testlib/3rdparty/linux/qt_attribution.json index 07e82490580..8fbd0408c79 100644 --- a/src/testlib/3rdparty/linux/qt_attribution.json +++ b/src/testlib/3rdparty/linux/qt_attribution.json @@ -11,13 +11,15 @@ "Not normally needed unless", "New feature in QtTest needs something in a newer version", "or if a Linux port to some new architecture omits old API" - ] + ], + "General": "no relevant CPE found" }, "Files": "perf_event_p.h", "Description": "Allows access to the Linux kernel's performance events.", "Homepage": "https://www.kernel.org", "Version": "6.0", + "PURL": "pkg:github/torvalds/linux@v6.0#include/uapi/linux/perf_event.h", "License": "GNU General Public License v2.0 only with Linux Syscall Note", "LicenseId": "GPL-2.0-only WITH Linux-syscall-note", "LicenseFile": "LICENSE.txt", diff --git a/src/testlib/3rdparty/valgrind/qt_attribution.json b/src/testlib/3rdparty/valgrind/qt_attribution.json index f1ea241f803..8078274d690 100644 --- a/src/testlib/3rdparty/valgrind/qt_attribution.json +++ b/src/testlib/3rdparty/valgrind/qt_attribution.json @@ -5,12 +5,14 @@ "QDocModule": "qttestlib", "QtUsage": "Used on Linux ond MacOS in the Qt Test module.", "Comment": { "UpstreamFiles": [ "include/valgrind.h.in", "callgrind/callgrind.h" ], - "License": "These two files are BSD; the rest of valgrind is GPL" }, + "License": "These two files are BSD; the rest of valgrind is GPL", + "General": "no relevant CPE found" }, "Files": [ "valgrind_p.h", "callgrind_p.h" ], "Description": "An instrumentation framework for building dynamic analysis tools.", "Homepage": "http://valgrind.org/", "Version": "3.23.0", + "PURL": "pkg:generic/valgrind@3.23.0?download_url=https://valgrind.org/", "License": "BSD 4-clause \"Original\" or \"Old\" License", "LicenseId": "BSD-4-Clause", "LicenseFile": "LICENSE.txt", diff --git a/util/gradientgen/qt_attribution.json b/util/gradientgen/qt_attribution.json index e3a70a7404e..25c382c7d27 100644 --- a/util/gradientgen/qt_attribution.json +++ b/util/gradientgen/qt_attribution.json @@ -8,6 +8,7 @@ "Description": "WebGradients is a free collection of 180 linear gradients.", "Homepage": "https://webgradients.com/", + "PURL": "pkg:generic/webgradients?download_url=https://webgradients.com/", "License": "MIT License", "LicenseId": "MIT", "LicenseFile": "WEBGRADIENTS_LICENSE.txt",