syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

cyclone-dx: javascript mapping of authors, contributors and maintainers -> component.author

Open spiffcs opened this issue 5 months ago • 1 comments

What would you like to be added:

Update CycloneDX encoder so that people metadata discovered from package.json (and npm registry metadata where available) is emitted under the CycloneDX component.authors array for the affected component(s).

Specifically:

  • Convert each person into a CycloneDX OrganizationalContact object with fields: name, email, phone will not be present; ignore unknown keys
  • Do not use the deprecated component.author (singular) field; only use component.authors (array).
  • (optional) set bom-ref if we already assign stable refs for contacts

Note: URL is not part of OrganizationalContact; drop or consider mapping to externalReferences if we choose to extend later

Why is this needed:

CycloneDX 1.6 models creators of a component via authors (array of OrganizationalContact). Using this provides accurate provenance and aligns with the spec; the legacy author field is deprecated in favor of authors or manufacturer.

URLs present in person strings are currently dropped (no field on OrganizationalContact). If desired later, we could add an externalReferences entry of type website, but that’s out of scope here.

Acceptance criteria:

For a JS component like

{
  "name": "demo",
  "version": "1.0.0",
  "author": "Alice Doe <[email protected]>",
  "contributors": [
    {"name":"Bob Roe","email":"[email protected]"},
    "Carol Poe <[email protected]>"
  ],
  "maintainers": [
    {"name":"Org Maintainer","email":"[email protected]"}
  ]
}

the CycloneDX output contains:

"components": [
  {
    "name": "demo",
    "version": "1.0.0",
    "authors": [
      {"name":"Alice Doe","email":"[email protected]"},
      {"name":"Bob Roe","email":"[email protected]"},
      {"name":"Carol Poe","email":"[email protected]"},
      {"name":"Org Maintainer","email":"[email protected]"}
    ]
  }
]

Non-goals (can be separate issues):

  • Mapping url to externalReferences
  • Inferring or populating manufacturer/supplier
  • Backfilling non-JS ecosystems

spiffcs avatar Aug 13 '25 22:08 spiffcs

@spiffcs Hello, I'd like to volunteer to work on this issue. Can you please assign this to me?

kyounghunJang avatar Aug 21 '25 07:08 kyounghunJang