feat(spdx): Set originator and supplier information

Populate NTIA minimum elements [1] by setting `supplier` (and `originator`, while at it) information. For now, simply set both to the list of authors, assuming they are persons. This needs to be improved further in the context of [2]. [1]: https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf [2]: #7449 Signed-off-by: Sebastian Schuberth <[email protected]>
oss-review-toolkit · Dec 9, 2024 · 9699872 · 9699872
1 parent 883fcd1
commit 9699872
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/plugins/reporters/spdx/src/main/kotlin/Extensions.kt b/plugins/reporters/spdx/src/main/kotlin/Extensions.kt
@@ -217,7 +217,9 @@ internal fun Package.toSpdxPackage(
                 .sorted()
         },
         name = id.name,
+        originator = authors.takeUnless { it.isEmpty() }?.joinToString(prefix = SpdxConstants.PERSON),
         packageVerificationCode = packageVerificationCode,
+        supplier = authors.takeUnless { it.isEmpty() }?.joinToString(prefix = SpdxConstants.PERSON),
         versionInfo = id.version
     )
 }