Use FetchContent for CGAL instead of find_package

[krystophny]

User description

CGAL 5.x is header-only, so we can use FetchContent to download the headers directly instead of requiring a system installation.

Changes:

• Download CGAL 5.6.1 via FetchContent (header-only, no CMake build)
• Require Boost headers (CGAL dependency)
• Simplify stl_wall_cgal linking to just include dirs + Boost::headers

This removes the need for users to install CGAL separately.

---

PR Type

Enhancement

---

Description

• Replace CGAL system dependency with FetchContent download

• Simplify CGAL integration for header-only library usage

• Add Boost headers as explicit CGAL dependency requirement

• Remove CGAL CMake build configuration and targets

---

Diagram Walkthrough

flowchart LR
  A["find_package CGAL"] -->|Replace| B["FetchContent CGAL 5.6.1"]
  C["CGAL::CGAL target"] -->|Remove| D["Include directories only"]
  E["Boost requirement"] -->|Add explicit| F["Boost::headers"]
  B --> D
  D --> F

Loading

File Walkthrough

Relevant files

Enhancement

CMakeLists.txt Switch CGAL to FetchContent with Boost dependency                CMakeLists.txt Replace find_package(CGAL) with FetchContent to download CGAL 5.6.1 headers Add explicit find_package(Boost REQUIRED) as CGAL dependency Set CGAL_INCLUDE_DIR variable pointing to fetched CGAL include path Update status messages to reflect header-only FetchContent approach +19/-2    CMakeLists.txt Update stl_wall_cgal linking for header-only CGAL                src/CMakeLists.txt Remove target_link_libraries(stl_wall_cgal PUBLIC CGAL::CGAL) target linking Remove conditional CGAL::CGAL_Core target linking Add target_include_directories() with CGAL_INCLUDE_DIR for header-only usage Link Boost::headers instead of CGAL CMake targets +3/-4

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Supply-chain download Description: FetchContent_Declare() downloads CGAL from a remote URL without any integrity verification (no URL_HASH/pinned digest), which introduces a supply-chain risk where a compromised/mirrored release archive or MITM could inject malicious headers into the build. CMakeLists.txt [209-218] Referred Code include(FetchContent) FetchContent_Declare( cgal URL https://github.com/CGAL/cgal/releases/download/v5.6.1/CGAL-5.6.1.tar.xz DOWNLOAD_EXTRACT_TIMESTAMP TRUE ) FetchContent_GetProperties(cgal) if(NOT cgal_POPULATED) FetchContent_Populate(cgal) endif()
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Fetch failure handling: The new FetchContent-based CGAL download introduces a network/external-dependency failure point without an explicit graceful/offline fallback path, which may cause configure/build failures in restricted environments. Referred Code include(FetchContent) FetchContent_Declare( cgal URL https://github.com/CGAL/cgal/releases/download/v5.6.1/CGAL-5.6.1.tar.xz DOWNLOAD_EXTRACT_TIMESTAMP TRUE ) FetchContent_GetProperties(cgal) if(NOT cgal_POPULATED) FetchContent_Populate(cgal) endif() # CGAL 5.x is header-only, just add include path set(CGAL_INCLUDE_DIR "${cgal_SOURCE_DIR}/include") message(STATUS "CGAL enabled via FetchContent: 5.6.1 (header-only)") message(STATUS "CGAL include dir: ${CGAL_INCLUDE_DIR}") Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unverified remote content: CGAL is fetched from a remote URL via FetchContent_Declare without an integrity check (e.g., URL_HASH), which may not meet security expectations for validating external inputs/dependencies. Referred Code FetchContent_Declare( cgal URL https://github.com/CGAL/cgal/releases/download/v5.6.1/CGAL-5.6.1.tar.xz DOWNLOAD_EXTRACT_TIMESTAMP TRUE ) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	✅ Incomplete manual handling of CGAL dependencies Suggestion Impact: The commit addresses the missing dependency concern by adding explicit discovery and linking of GMP to the CGAL-based target, partially mitigating the issue highlighted in the suggestion (though it does not switch to CGAL's CMake/configuration or link against CGAL::CGAL, nor add MPFR). code diff: # CGAL 5.x is header-only, just need include paths for CGAL and Boost target_include_directories(stl_wall_cgal PUBLIC ${CGAL_INCLUDE_DIR}) - target_link_libraries(stl_wall_cgal PUBLIC Boost::headers) + # CGAL requires GMP for exact arithmetic + find_library(GMP_LIBRARY gmp REQUIRED) + target_link_libraries(stl_wall_cgal PUBLIC Boost::headers ${GMP_LIBRARY}) The PR's manual fetching of CGAL headers only accounts for the Boost dependency, but ignores other essential libraries like GMP and MPFR. This oversight could cause build failures if the code relies on CGAL features requiring them. Examples: CMakeLists.txt [203-223] # CGAL 5.x is header-only, fetch headers via FetchContent (don't run CGAL's CMake) if(SIMPLE_ENABLE_CGAL) # CGAL requires Boost headers find_package(Boost REQUIRED) message(STATUS "Boost found: ${Boost_VERSION}") include(FetchContent) FetchContent_Declare( cgal URL https://github.com/CGAL/cgal/releases/download/v5.6.1/CGAL-5.6.1.tar.xz ... (clipped 11 lines) src/CMakeLists.txt [60-62] # CGAL 5.x is header-only, just need include paths for CGAL and Boost target_include_directories(stl_wall_cgal PUBLIC ${CGAL_INCLUDE_DIR}) target_link_libraries(stl_wall_cgal PUBLIC Boost::headers) Solution Walkthrough: Before: # CMakeLists.txt if(SIMPLE_ENABLE_CGAL) # CGAL requires Boost headers find_package(Boost REQUIRED) include(FetchContent) FetchContent_Declare(cgal URL ...) FetchContent_Populate(cgal) set(CGAL_INCLUDE_DIR "${cgal_SOURCE_DIR}/include") # ... endif() # src/CMakeLists.txt target_include_directories(stl_wall_cgal PUBLIC ${CGAL_INCLUDE_DIR}) target_link_libraries(stl_wall_cgal PUBLIC Boost::headers) After: # CMakeLists.txt if(SIMPLE_ENABLE_CGAL) # Let CGAL's own CMake scripts handle its dependencies (Boost, GMP, MPFR, etc.) include(FetchContent) FetchContent_Declare(cgal URL ...) # A more robust approach is to let FetchContent configure CGAL FetchContent_MakeAvailable(cgal) # ... endif() # src/CMakeLists.txt # Link against the imported target from CGAL's build system target_link_libraries(stl_wall_cgal PUBLIC CGAL::CGAL) Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical flaw in the PR's assumption that CGAL is purely header-only, as it overlooks other crucial dependencies like GMP and MPFR, which could lead to build failures.	High
Security	Use URL hash for FetchContent Add a URL_HASH with the file's SHA256 checksum to the FetchContent_Declare call for cgal. This will verify the integrity of the downloaded archive, enhancing security. CMakeLists.txt [210-214] FetchContent_Declare( cgal URL https://github.com/CGAL/cgal/releases/download/v5.6.1/CGAL-5.6.1.tar.xz + URL_HASH SHA256=<insert_actual_hash_here> DOWNLOAD_EXTRACT_TIMESTAMP TRUE ) Apply / Chat Suggestion importance[1-10]: 8 __ Why: This is a critical security best practice. Adding a URL_HASH ensures the downloaded dependency has not been tampered with, preventing potential supply chain attacks.	Medium
General	Avoid unnecessary dependency build steps Add CONFIGURE_COMMAND "" and BUILD_COMMAND "" to FetchContent_Declare for the cgal dependency. This will prevent unnecessary and inefficient configuration and build steps, as CGAL is being used as a header-only library. CMakeLists.txt [209-218] include(FetchContent) FetchContent_Declare( cgal URL https://github.com/CGAL/cgal/releases/download/v5.6.1/CGAL-5.6.1.tar.xz DOWNLOAD_EXTRACT_TIMESTAMP TRUE + CONFIGURE_COMMAND "" + BUILD_COMMAND "" ) FetchContent_GetProperties(cgal) if(NOT cgal_POPULATED) FetchContent_Populate(cgal) endif() Apply / Chat Suggestion importance[1-10]: 7 __ Why: This suggestion correctly identifies that FetchContent_Populate will trigger an unnecessary build for a header-only library. Adding CONFIGURE_COMMAND "" and BUILD_COMMAND "" aligns with the PR's intent, improving build efficiency and correctness.	Medium
Update