Skip to main content

Software Bill of Materials (SBOM)

One of the CRA requirements is  drawing up an SBOM, that is, a software bill of materials in a commonly used and machine-readable format. The SBOM must cover at the very least the top-level dependencies for each of your products.

Generating accurate SBOMs manually is not scalable, making automation necessary.

EU CRA Reference

Annex I, Part II § 1

Manufacturers of products with digital elements shall identify and document vulnerabilities and components contained in products with digital elements, including by drawing up a software bill of materials in a commonly used and machine-readable format covering at the very least the top-level dependencies of the products.

Go to the legislation

OWASP SAMM Reference

Software Assurance Maturity Model

SAMM is an open framework, which helps organizations analyze their software security practices. SAMM implementation includes keeping a record of all dependencies used throughout the target production environment, such as generating a bill of materials for every application.

Learn more about SAMM

Qt Framework Highlights

Auto-Generate Your SBOM

SBOMs can be automatically generated with Qt 6.8.0 and later, as part of the build process. They can be used for e.g. finding vulnerabilities, checking license compliance and file integrity, and copyrights.

What Qt SBOM Is Based On

There are many SBOM types and formats, but Qt uses one of the most useful ones, Build SBOM. It is based on source files, dependency information, already created components, volatile build process data, and other SBOMs.

Get Your SBOM in SPDX v2.3

With Qt, you get one document for each Qt Framework git repository built, using the SPDX v2.3 format, in both tag:value and JSON formats. When using the online installer, you automatically get your SBOM in a dedicated directory.

Next Steps at Qt Group

 

Create SBOM for QQUL (Qt for MCUs)

Create SBOM for Axivion

Create SBOM for Squish

Create SBOM for Coco

The information contained on this page and this website does not constitute legal advice. It is provided for informational purposes and discussion of the subject matter only. Content is subject to change and The Qt Group does not guarantee the accuracy or currentness of the contents of this page nor is The Qt Group responsible for the content or operation of any external website that these pages link to—or that may link to—these pages. The information contained here is not, and should not be used as, a substitute for legal advice.