Align Supplier Check with SPDX specification

Question

Align Supplier Check with SPDX specification

Closed this issue a year ago · 3 comments

Raising this to check if some alignment is possible with ntia-conformance-checker](https://github.com/spdx/ntia-conformance-checker).

There was an issue raised to align the Supplier/Originator check with SPDX specification.

Extract from that issue,

The NTIA requirements define Supplier as the "The name of an entity that creates, defines, and identifies components."
https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf (Page 9)

The SPDX v2.3 spec defines Supplier differently as "the actual distribution source for the package/directory identified in the SPDX document. This might or might not be different from the originating distribution source for the package"

What the NTIA document actually calls for from SPDX is the Originator ("this field identifies from where or whom the package originally came"). https://spdx.github.io/spdx-spec/v2.3/package-information/#76-package-originator-field

The ntia-conformance-checker only checks for the supplier field. The requirement may be satisfied by either the supplier or the originator field in the SPDX spec. Can we please modify the checker to look for both fields?

Some SBOM generation tools like Syft are able to find the Originator value but not the supplier because supplier field is not very well defined. Having this check adjusted in the sbomqs will help with achieving better score.

Answer 1 · 2023-05-05T06:01:38.000Z

Will take a look in the morning and get back.

Answer 2 · 2023-05-05T17:25:18.000Z

@pushkargr thanks for bringing this to our attention, we will fix this, for v0.0.16 which is next thursday.

Answer 3 · 2023-05-11T19:13:53.000Z

@pushkargr v0.0.16 has been released.