CycloneDX
Description of `metadata.supplier` is confusing
As of v1.5, the description of metadata.supplier states:
https://github.com/CycloneDX/specification/blob/299209abd9531d808e0cc4235e77a7c4b1b53d96/schema/bom-1.5.schema.json#L268-L271
This is in addition to metadata.component.supplier, which states:
https://github.com/CycloneDX/specification/blob/299209abd9531d808e0cc4235e77a7c4b1b53d96/schema/bom-1.5.schema.json#L430-L434
Based on those descriptions, it is unclear what the subject of metadata.supplier is. metadata.component is the component that the BOM describes, meaning metadata.component.supplier would be the same as metadata.supplier.
As discussed in this Slack thread, it seems that metadata.supplier describes the supplier of the BOM itself. If that is the case, the schema documentation should be updated to include this fact.
I was told, that metadata.supplier is meant to be the supplier of the CycloneDX document.
the other one is the supplier of the root component.
use case: you have an agency producing your documentation artifact.
~~I will update the docs for 1.6~~
PS: since the current docs state otherwise than it was meant, the mentioned facts would be a breaking-change. will discuss with CoreWorkingGroup -- result here: https://github.com/CycloneDX/specification/pull/379#issuecomment-1945543800
see a discussion result from the CoreWorkingGroup here: https://github.com/CycloneDX/specification/pull/379#issuecomment-1945543800
@stevespringett lets move this one to 1.7 We did not find consensus here, yet. Maybe we will come up with a non-breaking solution in the future.