|
|
@@ -21,6 +21,7 @@ Synopsis
|
|
|
install(`EXPORT`_ <export-name> [...])
|
|
|
install(`PACKAGE_INFO`_ <package-name> [...])
|
|
|
install(`RUNTIME_DEPENDENCY_SET`_ <set-name> [...])
|
|
|
+ install(`SBOM`_ <sbom-name> [...])
|
|
|
|
|
|
Introduction
|
|
|
^^^^^^^^^^^^
|
|
|
@@ -1192,6 +1193,87 @@ Signatures
|
|
|
:command:`install_files`, and :command:`install_programs` commands
|
|
|
is not defined.
|
|
|
|
|
|
+.. signature::
|
|
|
+ install(SBOM <sbom-name> [...])
|
|
|
+
|
|
|
+ .. versionadded:: 4.3
|
|
|
+ .. note::
|
|
|
+
|
|
|
+ Experimental. Gated by ``CMAKE_EXPERIMENTAL_GENERATE_SBOM``.
|
|
|
+
|
|
|
+ Installs a |SBOM| or "SBOM" which describes the project:
|
|
|
+
|
|
|
+ .. code-block:: cmake
|
|
|
+
|
|
|
+ install(SBOM <sbom-name> EXPORT <export-name>
|
|
|
+ [PROJECT <project-name>|NO_PROJECT_METADATA]
|
|
|
+ [DESTINATION <dir>]
|
|
|
+ [VERSION <major>[.<minor>[.<patch>[.<tweak>]]]]
|
|
|
+ [LICENSE <license-string>]
|
|
|
+ [DESCRIPTION <description-string>]
|
|
|
+ [HOMEPAGE_URL <url-string>]
|
|
|
+ [PACKAGE_URL <url-string>]
|
|
|
+ [FORMAT <string>])
|
|
|
+
|
|
|
+ The ``SBOM`` form generates a |SBOM| or "SBOM" file for a given project
|
|
|
+ and installs it as part of the project installation. A |SBOM| is a
|
|
|
+ machine-readable description of the project's targets, linked libraries,
|
|
|
+ and related metadata, such as versions and license information. CMake
|
|
|
+ currently generates SBOM files using the |SPDX|_ 3.0 specification in
|
|
|
+ its JSON-LD representation, as selected by the ``FORMAT`` option, but
|
|
|
+ the interface is designed to allow additional SBOM formats or schema
|
|
|
+ versions to be supported in future CMake releases.
|
|
|
+
|
|
|
+ Target installations are associated with the export ``<export-name>``
|
|
|
+ using the ``EXPORT`` option of the :command:`install(TARGETS)` signature
|
|
|
+ documented above. If ``DESTINATION`` is not specified, a platform-specific
|
|
|
+ default is used.
|
|
|
+
|
|
|
+ Several options may be used to specify package metadata:
|
|
|
+
|
|
|
+ ``VERSION <version>``
|
|
|
+ The package version, specified as a series of non-negative integer components,
|
|
|
+ i.e. <major>[.<minor>[.<patch>[.<tweak>]]]. See :command:`project(VERSION)` for
|
|
|
+ more information.
|
|
|
+
|
|
|
+ ``FORMAT <string>``
|
|
|
+ The format in which the SBOM should be exported, which must be an expression of
|
|
|
+ the form ``<format>[-<version>][+<representation>]``. CMake currently supports
|
|
|
+ the JSON-LD serialization of |SPDX|_ v3.0.1 (``spdx`` or ``spdx-3.0.1+json``),
|
|
|
+ which is also the default if ``FORMAT`` is not specified.
|
|
|
+
|
|
|
+ ``HOMEPAGE_URL <url-string>``
|
|
|
+
|
|
|
+ An informational canonical home URL for the project.
|
|
|
+
|
|
|
+ ``PACKAGE_URL <url-string>``
|
|
|
+
|
|
|
+ An informational canonical package URL for the project.
|
|
|
+
|
|
|
+ ``LICENSE <license-string>``
|
|
|
+
|
|
|
+ A |SPDX|_ (SPDX) `License Expression`_ that describes the license(s) of the
|
|
|
+ project as a whole, including documentation, resources, or other materials
|
|
|
+ distributed with the project, in addition to software artifacts. See the
|
|
|
+ SPDX `License List`_ for a list of commonly used licenses and their
|
|
|
+ identifiers.
|
|
|
+
|
|
|
+ The license of individual components is taken from the
|
|
|
+ :prop_tgt:`SPDX_LICENSE` property of their respective targets.
|
|
|
+
|
|
|
+ ``DESCRIPTION <description-string>``
|
|
|
+
|
|
|
+ An informational description of the project. It is recommended that this
|
|
|
+ description is a relatively short string, usually no more than a few words.
|
|
|
+
|
|
|
+ By default, if the specified ``<package-name>`` matches the current CMake
|
|
|
+ :variable:`PROJECT_NAME`, sbom metadata will be inherited from the
|
|
|
+ project. The ``PROJECT <project-name>`` option may be used to specify a
|
|
|
+ different project from which to inherit metadata. If ``NO_PROJECT_METADATA``
|
|
|
+ is specified, automatic inheritance of sbom metadata will be disabled.
|
|
|
+ In any case, any metadata values specified in the ``install`` command will
|
|
|
+ take precedence.
|
|
|
+
|
|
|
Examples
|
|
|
^^^^^^^^
|
|
|
|
|
|
@@ -1323,3 +1405,5 @@ and by CPack. You can also invoke this script manually with
|
|
|
|
|
|
.. _License Expression: https://spdx.github.io/spdx-spec/v3.0.1/annexes/spdx-license-expressions/
|
|
|
.. _License List: https://spdx.org/licenses/
|
|
|
+
|
|
|
+.. |SBOM| replace:: Software Bill of Material
|
Taylor Sasser