Should pom.developer.organization be a candidate fallback for sbom.organization?

[mathjeff]

In https://github.com/spdx/spdx-gradle-plugin/issues/38 we're considering whether, if pom.organization is unspecified, perhaps pom.developer.organization should be a possible fallback for sbom.organization.

I think an example pom is:

https://repo1.maven.org/maven2/org/jetbrains/annotations/13.0/annotations-13.0.pom

which contains the text:

<developers>
<developer>
<id>JetBrains</id>
<name>JetBrains Team</name>
<organization>JetBrains</organization>
<organizationUrl>http://www.jetbrains.com</organizationUrl>
</developer>
</developers>

which I think was causing this text to appear in the sbom:

“supplier" : "Person: JetBrains Team"

whereas maybe it would be better to output this text instead:

“supplier" : "Organization: JetBrains"

Perhaps it might make sense for the spdx-maven-plugin to do something similar to what's being considered for the spdx-gradle-plugin here too.

[goneall]

Thanks @mathjeff for pointing this out. I agree with the general direction the Gradle plugin is using.

Once there is a PR for the Gradle plugin, we can create a similar PR for the Maven plugin.

[hboutemy]

I'm not convinced: why would the first developer data be promoted like this? even if we code that algorithm only when there is a unique developer, but even there, the heuristics sometimes gives the result that the component provider would expect, sometimes not, then if we implement, I expect the next issue reported to "fix" the heuristics

SBOM seems to be the first time people look at the value they put (or not) for years in their pom.xml : heuristics to try to guess instead of having the owner take his decision is not something I'm really convinced about