From 96998720c641dc2bc01977d460119f8c709d2103 Mon Sep 17 00:00:00 2001
From: Sebastian Schuberth <sebastian@doubleopen.org>
Date: Mon, 9 Dec 2024 17:13:01 +0100
Subject: [PATCH] feat(spdx): Set `originator` and `supplier` information

Populate NTIA minimum elements [1] by setting `supplier` (and
`originator`, while at it) information. For now, simply set both to the
list of authors, assuming they are persons. This needs to be improved
further in the context of [2].

[1]: https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
[2]: https://github.com/oss-review-toolkit/ort/issues/7449

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
---
 plugins/reporters/spdx/src/main/kotlin/Extensions.kt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/plugins/reporters/spdx/src/main/kotlin/Extensions.kt b/plugins/reporters/spdx/src/main/kotlin/Extensions.kt
index 11140e59f378f..fe3ffe65e3615 100644
--- a/plugins/reporters/spdx/src/main/kotlin/Extensions.kt
+++ b/plugins/reporters/spdx/src/main/kotlin/Extensions.kt
@@ -217,7 +217,9 @@ internal fun Package.toSpdxPackage(
                 .sorted()
         },
         name = id.name,
+        originator = authors.takeUnless { it.isEmpty() }?.joinToString(prefix = SpdxConstants.PERSON),
         packageVerificationCode = packageVerificationCode,
+        supplier = authors.takeUnless { it.isEmpty() }?.joinToString(prefix = SpdxConstants.PERSON),
         versionInfo = id.version
     )
 }