sbom icon indicating copy to clipboard operation
sbom copied to clipboard
verified publisher icon voltone

Implement `component.manufacturer`

Open maennchen opened this issue 3 months ago • 1 comments

Definition: The organization that created the component (common for automated builds).

Challenge: The config[:package][:organization] field exists but:

  • Rarely used in public packages
  • Indicates ownership/hosting, not necessarily creation
  • Semantically ambiguous

From Hex.pm docs:

package.organization - The organization the package belongs to. The package will be published to the organization repository.

Alternative: Infer from GitHub organization for some cases:

case component[:links]["GitHub"] do
  "https://github.com/dashbitco/" <> _ -> 
    bom_struct(:OrganizationalEntity, version, name: "Dashbit")
  _ -> nil
end

[!IMPORTANT] Question: ❓ Should we:

  1. Only use explicit organization field (most accurate)
  2. Infer from GitHub URL (more coverage but less accurate)
  3. Leave it out entirely (least ambiguous)

maennchen avatar Dec 04 '25 13:12 maennchen