Generate SBOM info

IB-8704

Signed-off-by: Raul Metsma <raul@metsma.ee>

Author: metsma

.github/workflows/build.yml

@@ -20,7 +20,7 @@ jobs:
       with:
         submodules: recursive
     - name: Download artifact
-      uses: dawidd6/action-download-artifact@v11
+      uses: dawidd6/action-download-artifact@v19
       with:
         workflow: build.yml
         branch: master
@@ -60,11 +60,14 @@ jobs:
         cmake --build build --target zipdebug
         cmake --build build --target macdeployqt
         cmake --build build --target zip
+        cmake --install build/sbom
     - name: Archive artifacts
       uses: actions/upload-artifact@v6
       with:
         name: macOS
-        path: build/qdigidoc4*.zip
+        path: |
+          build/qdigidoc4*.zip
+          build/qdigidoc4*.spdx
   ubuntu:
     name: Build on Ubuntu ${{ matrix.container }} ${{ matrix.arch }}
     runs-on: ubuntu-24.04${{ matrix.arch == 'arm64' && '-arm' || '' }}
@@ -79,7 +82,7 @@ jobs:
       DEBEMAIL: github-actions@github.com
     steps:
     - name: Download artifact
-      uses: dawidd6/action-download-artifact@v11
+      uses: dawidd6/action-download-artifact@v19
       with:
         workflow: build.yml
         branch: master
@@ -104,13 +107,18 @@ jobs:
       run: |
         dpkg-buildpackage -us -uc
         mv ../qdigidoc4*.* .
+        cmake -B build -S .
+        cmake --install build/sbom
+        mv build/qdigidoc4*.spdx .
     - name: Lintian
       run: lintian *.deb;
     - name: Archive artifacts
       uses: actions/upload-artifact@v6
       with:
         name: ubuntu_${{ matrix.container }}_${{ matrix.arch }}
-        path: qdigidoc4*.*
+        path: |
+          qdigidoc4*.*
+          qdigidoc4*.spdx
   fedora:
     name: Build on Fedora ${{ matrix.container }}
     runs-on: ubuntu-latest
@@ -120,7 +128,7 @@ jobs:
         container: [42, 43]
     steps:
     - name: Download artifact
-      uses: dawidd6/action-download-artifact@v11
+      uses: dawidd6/action-download-artifact@v19
       with:
         workflow: build.yml
         branch: master
@@ -134,11 +142,14 @@ jobs:
       run: |
         cmake -DCMAKE_INSTALL_PREFIX=/usr -B build -S .
         cmake --build build --target all package
+        cmake --install build/sbom
     - name: Archive artifacts
       uses: actions/upload-artifact@v6
       with:
         name: fedora_${{ matrix.container }}
-        path: build/qdigidoc4*.rpm
+        path: |
+          build/qdigidoc4*.rpm
+          build/qdigidoc4*.spdx
   windows:
     name: Build on Windows
     runs-on: ${{ matrix.platform == 'arm64' && 'windows-11-arm' || 'windows-2025' }}
@@ -151,7 +162,7 @@ jobs:
     steps:
     - *Checkout
     - name: Download artifact
-      uses: dawidd6/action-download-artifact@v11
+      uses: dawidd6/action-download-artifact@v19
       with:
         workflow: build.yml
         branch: master
@@ -190,13 +201,15 @@ jobs:
         cmake --build build --target msi
         cmake --build build --target msishellext
         cmake --build build --target appx
+        cmake --install build/sbom
     - name: Archive artifacts
       uses: actions/upload-artifact@v6
       with:
         name: msi_${{ matrix.vcver }}_${{ matrix.platform }}
         path: |
           build/*.msi
           build/*.appx
+          build/*.spdx
   coverity:
     name: Run Coverity tests
     if: github.repository == 'open-eid/DigiDoc4-Client' && contains(github.ref, 'coverity_scan')
@@ -207,7 +220,7 @@ jobs:
     steps:
     - *Checkout
     - name: Download artifact
-      uses: dawidd6/action-download-artifact@v11
+      uses: dawidd6/action-download-artifact@v19
       with:
         workflow: build.yml
         branch: master
@@ -246,7 +259,7 @@ jobs:
     steps:
     - *Checkout
     - name: Download artifact
-      uses: dawidd6/action-download-artifact@v11
+      uses: dawidd6/action-download-artifact@v19
       with:
         workflow: build.yml
         branch: master

.gitmodules

@@ -1,3 +1,7 @@
 [submodule "common"]
 	path = common
 	url = ../qt-common
+[submodule "cmake/cmake-sbom"]
+	path = cmake/cmake-sbom
+	url = https://github.com/DEMCON/cmake-sbom.git
+	branch = v1.4.0

AppxManifest.xml.cmake

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: Estonian Information System Authority
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
 <?xml version="1.0" encoding="utf-8"?>
 <Package xmlns="http://schemas.microsoft.com/appx/manifest/foundation/windows10"
     xmlns:com="http://schemas.microsoft.com/appx/manifest/com/windows10"

CMakeLists.txt

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: Estonian Information System Authority
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
 cmake_minimum_required(VERSION 3.22)
 if(NOT EXISTS ${CMAKE_SOURCE_DIR}/common/CMakeLists.txt)
     message(FATAL_ERROR "common submodule directory empty, did you 'git clone --recursive'?")
@@ -67,3 +70,4 @@ endif()
 
 add_subdirectory( common )
 add_subdirectory( client )
+include(cmake/sbom.cmake)

client/Application.cpp

@@ -1,21 +1,5 @@
-/*
- * QDigiDoc4
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- */
+// SPDX-FileCopyrightText: Estonian Information System Authority
+// SPDX-License-Identifier: LGPL-2.1-or-later
 
 #define NOMINMAX
 

client/Application.h

@@ -1,21 +1,5 @@
-/*
- * QDigiDoc4
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- */
+// SPDX-FileCopyrightText: Estonian Information System Authority
+// SPDX-License-Identifier: LGPL-2.1-or-later
 
 #pragma once
 

client/Application_mac.mm

@@ -1,21 +1,5 @@
-/*
- * QEstEidCommon
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- */
+// SPDX-FileCopyrightText: Estonian Information System Authority
+// SPDX-License-Identifier: LGPL-2.1-or-later
 
 #include "Application.h"
 

client/CDoc1.cpp

@@ -1,21 +1,5 @@
-/*
- * QDigiDocClient
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- */
+// SPDX-FileCopyrightText: Estonian Information System Authority
+// SPDX-License-Identifier: LGPL-2.1-or-later
 
 #include "CDoc1.h"
 

client/CDoc1.h

@@ -1,21 +1,5 @@
-/*
- * QDigiDocClient
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- */
+// SPDX-FileCopyrightText: Estonian Information System Authority
+// SPDX-License-Identifier: LGPL-2.1-or-later
 
 #pragma once
 

client/CDoc2.cpp

@@ -1,21 +1,5 @@
-/*
- * QDigiDocClient
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- */
+// SPDX-FileCopyrightText: Estonian Information System Authority
+// SPDX-License-Identifier: LGPL-2.1-or-later
 
 #include "CDoc2.h"