Missing supplier information for component detectors, Example -> Go, Conan etc #775

tarun06 · 2023-09-07T04:29:49Z

tarun06
Sep 7, 2023

Supplier can take information about person, organization or tool. So, Should we add Tool as the supplier information for which detector could not identifies person or organization.

My point is instead of using "NOASSERTION", Adding Tool to the supplier could be meaningful information. May i asked for suggestion?

example ->

Conan detector -> Supplier = "Tool: Conan"
GO detector -> Supplier = "Tool: Golang"

melotic · 2023-09-08T17:33:25Z

melotic
Sep 8, 2023
Collaborator

If I understand this correctly, Supplier is only in SPDX. Maybe this is a better question for SBOM Tool folks?

We can perhaps expose information in the typed component for the supplier of packages, if this helps them.

1 reply

JamieMagee Sep 8, 2023
Collaborator

@tarun06 can you open a discussion at https://github.com/microsoft/sbom-tool if this is the case.

tarun06 · 2023-09-10T05:30:43Z

tarun06
Sep 10, 2023
Author

@JamieMagee @melotic Thanks for correcting me and sharing the SBOM Tool URL.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing supplier information for component detectors, Example -> Go, Conan etc #775

{{title}}

Replies: 2 comments 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Missing supplier information for component detectors, Example -> Go, Conan etc #775

tarun06 Sep 7, 2023

Replies: 2 comments · 1 reply

melotic Sep 8, 2023 Collaborator

JamieMagee Sep 8, 2023 Collaborator

tarun06 Sep 10, 2023 Author

tarun06
Sep 7, 2023

Replies: 2 comments 1 reply

melotic
Sep 8, 2023
Collaborator

JamieMagee Sep 8, 2023
Collaborator

tarun06
Sep 10, 2023
Author