Add security flags to libarchive extraction to prevent path traversal
(Zip Slip) and absolute path attacks:
- ARCHIVE_EXTRACT_SECURE_NODOTDOT: Block ".." path components
- ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS: Block absolute paths
- ARCHIVE_EXTRACT_SECURE_SYMLINKS: Block symlinks escaping extract dir
This hardens both `cmake -E tar` and `file(ARCHIVE_EXTRACT)` against
malicious archives that attempt to write files outside the intended
extraction directory.
Change the interface of the `export` command so that `PACKAGE_INFO` and
`SBOM` are proper, first-level sub-commands, rather than being implemented via
`export(EXPORT ... (PACKAGE_INFO|SBOM) ...)`. This brings consistency with the
`install` command and also simplifies argument parsing.
Update the documentation and test cases accordingly. Some of the
argument handling test cases are now rather gratuitous, and are removed,
which also improves consistency with the `install` tests.
8ec5a595cd cmSbom: Add documentation for `install(SBOM)` and `export(SBOM)`
83671f2d87 cmSbom: Add `export(SBOM)` build generators and unit tests
f2027a886b cmSbom: Add `install(SBOM)` generator and unit tests
dcadde3662 CPS: Refactor ForbidGeneratorExpressions into cmGeneratorExpression
bcb6f689a4 cmExportInstallFileGenerator: Allow overriding of CheckInterfaceDirs
6d6c37c90d cmPackageInfoArguments: Extract common values
8c6676b2ea cmFindPackage: Fix PACKAGE_VERSION not being set when rebuilding
Acked-by: Kitware Robot <kwrobot@kitware.com>
Tested-by: buildbot <buildbot@kitware.com>
Merge-request: !11396
Also revert commit 9702a01dc9 (Help: string(LENGTH): Fix synopsis link
to command description, 2023-12-30, v3.28.2~23^2). It was only needed
to avoid re-using a named reference that we've now removed.
Issue: #25546
Add the ability to generate CPS package information when install(EXPORT)
is used. This relies on additional information to be passed to CMake,
and is intended as a way of getting CPS out of existing projects without
needing to make changes to the projects' CMakeLists.txt. (Particularly,
this feature is intended for package distributors, not project authors.)
Currently, CMake allows specifying a license (`SPDX_LICENSE`) for both
projects and targets, which is largely motivated by CPS export. The
design of CPS is geared toward components (targets) only expressing an
explicit license when that component's license differs from the license
that applies to the package as a whole (or, at least, the license
generally used by the package's software components). Accordingly, the
project license is not used to initialize the `SPDX_LICENSE` target
property at export time. This, however, was not documented previously.
Add a note explaining this to the `SPDX_LICENSE` option of the `project`
command.
Fixes: #27295
The `SPDX_LICENSE` option of the `project` command requires that the
`CMAKE_EXPERIMENTAL_EXPORT_PACKAGE_INFO` gate is enabled, but this was
not documented. Add the missing documentation.
Fixes: #27328
- Reworded command description.
- Briefly mentioned that this command can also remove other flags given
by add_definitions().
- Added examples section.
- Mentioned also add_compile_definitions() command, as
remove_definitions() can remove also those.
Using `signature` renders the anchor links for each sub-command, and is
consistent with the other `Help/command` pages which contain multiple
sub-commands.
Adds support for "symbolic" components, which represent feature-level
capabilities of a package that do not correspond to actual build targets.
These are modeled as pseudo-targets, using the INTERFACE type as a base,
and can be queried via:
get_target_property(... <tgt> "SYMBOLIC")
This enables consumers to declare requirements on optional features
(e.g., SSL support) even when they do not map to concrete targets.
Fixes: #27187
Create a single place to store target data to prevent duplication.
This moves `targetType` and `targetLabels` out of the snippet files
and into a target map in the `cmakeContent` file referenced by each
snippet.
Fixes: #27244
